Solved Possible Network Intrusion.

[Trident]

I’ve used K VPN earlier and I also used K VPN and the file wasn’t ran when I was using it, only delayed and after.

It just was ran one day multiple times from a different system temp folder each time and I wasn’t interacting with a VPN at that time.

It was also setupapihost.dll, not setupapi.dll

Did you try uploading to VirusTotal?
Please provide us with a link to the VT report so we can see what’s going on. Otherwise we are unable to judge just by the filename. Once you’ve uploaded the file, if needed, we will ask @struppigel who can solve the most difficult malware questions. He’s the malware analysis master when we can’t reach a verdict.

 

[Xeno1234]

Did you try uploading to VirusTotal?
Please provide us with a link to the VT report so we can see what’s going on. Otherwise we are unable to judge just by the filename. Once you’ve uploaded the file, if needed, we will ask @struppigel who can solve the most difficult malware questions. He’s the malware analysis master when we can’t reach a verdict.

I can’t obtain the file. When I open the file directory it was ran from it just takes me to desktop folder, not system temp.

 

[Victor M]

Remember that even benign files can be used for malicious purposes. You know of LoL bins. So a negative answer from VirusTotal may not mean much. And it was Kaspersky that flagged the file; that weighs heavily against it. People may think it is a false positive, but consider also where it is located. I couldn't even find that file in my Win 11 Pro.

 

[Trident]

I can’t obtain the file. When I open the file directory it was ran from it just takes me to desktop folder, not system temp.

Malware infection is not to be excluded as you are mentioning random directory names and you are unable to obtain the file, to confirm it is safe.
Initiate procedures suitable for dealing with malware infection. Run a few second opinion scanners or maybe start a thread in the malware removal section to get better assistance.

I see that setupapihost.dll has been associated with malware infections (RATs) before. Without the file and more information, we can only do so much.

 

[Xeno1234]

Remember that even benign files can be used for malicious purposes. You know of LoL bins. So a negative answer from VirusTotal may not mean much. And it was Kaspersky that flagged the file; that weighs heavily against it. People may think it is a false positive, but consider also where it is located. I couldn't even find that file in my Win 11 Pro.

Never flagged the file. I just saw it in the intrusion prevention reports.

Malware infection is not to be excluded as you are mentioning random directory names and you are unable to obtain the file, to confirm it is safe.
Initiate procedures suitable for dealing with malware infection. Run a few second opinion scanners or maybe start a thread in the malware removal section to get better assistance.

I see that setupapihost.dll has been associated with malware infections (RATs) before. Without the file and more information, we can only do so much.

Where do you see it being associated with RAT’s?

I suspect malware infection as display file extensions was also turned off later in the day. I bought a USB but I don’t know what device to download windows from since there isn’t one that I’m 100% sure is clean. I’ll get a iso done though and reset from a image to be safe.

 

[Azazel]

Never flagged the file. I just saw it in the intrusion prevention reports.

Do intrusion reports give more detail about its activity?

 

[Xeno1234]

Do intrusion reports give more detail about its activity?

No, only that the file is ran and from where.

 

[Practical Response]

setupapihost.dll is part of the configuration from set up of wire guard.

As I stated already setupapi.dll is responsible for managing device installation and configuration processes.

 

[Victor M]

I consider an IPS report a flag. K might not have positively identified the file as malicious, but K covers all angles, and IPS is one of it's arsenal.

What you should do this time around. Download WHH, all other security tools that don't use online-setup-installs and a disk image program. Copy them off to a USB stick. Then re-install Windows and apply all the security tools and configurations. Then make a disk image while still offline. Save that image offline somewhere. This is so that you will have a safe, still offline, guaranteed un-breached image; ready to deploy. It will save you countless hours of work. And you don't have to re-consider how much work you have to go through when deciding whether to re-install Windows.

 

[Xeno1234]

I consider an IPS report a flag. K might not have positively identified the file as malicious, but K covers all angles, and IPS is one of it's arsenal.

What you should do this time around. Download WHH, all other security tools that don't use online-setup-installs and a disk image program. Copy them off to a USB stick. Then re-install Windows and apply all the security tools and configurations. Then make a disk image while still offline. Save that image offline somewhere. This is so that you will have a safe, still offline, guaranteed un-breached image; ready to deploy. It will save you countless hours of work. And you don't have to re-consider how much work you have to go through when deciding whether to re-install Windows.

Kaspersky Intrusion Prevention reports are not flags, they are logs. Intrusion Prevention logs all files running on the system, nothing more than that unless you have additional rules or the file is malicious which in that case startup is blocked.

I’m going to iso reset windows when I get my PC back as the GPU is damaged in it unfortunately. I sent it in asking for a replacement GPU so I don’t have it back for another week and a half.

setupapihost.dll is part of the configuration from set up of wire guard.

As I stated already setupapi.dll is responsible for managing device installation and configuration processes.

I remember asking about this a while ago on other forums and I remember saying it was related to wireshark. Is there anything named this related to wireshark? I could be mixing up names.

 

[Trident]

Where do you see it being associated with RAT’s?

Setupapihost.pdb is mentioned there in the context if Agent Tesla. It could’ve been a cracked installer.
But you are unable to obtain the file and confirm its safety so I would suggest you take steps to check your system.

https://www.joesandbox.com/analysis/1319033/0/html

 

[Xeno1234]

Setupapihost.pdb is mentioned there in the context if Agent Tesla. It could’ve been a cracked installer.
But you are unable to obtain the file and confirm its safety so I would suggest you take steps to check your system.

https://www.joesandbox.com/analysis/1319033/0/html

Plan on system resetting it very soon.
Setupapihost.dll isn’t the same thing as .pdb though right? Or am I missing something.

Also no cracked installer on my end. I never installed wireguard, I just saw setupapihost.dll appear on my system.

 

[Practical Response]

I remember asking about this a while ago on other forums and I remember saying it was related to wireshark. Is there anything named this related to wireshark? I could be mixing up names.

The official wire guard client for windows installs a wintun driver, setupapihost.dll is part of the configuration from building it.

 

[Victor M]

So you found a suspicious file in a log. And that folder has since disappeared. Do I read you correctly this time?

Logs are all we can rely upon when tracing a breach. Tracks do disappear, but logs remain as evidence that something happened.

 

[Xeno1234]

The official wire guard client for windows installs a wintun driver, setupapihost.dll is part of the configuration from building it.

What I thought it was.

So you found a suspicious file in a log. And that folder has since disappeared. Do I read you correctly this time?

Logs are all we can rely upon when tracing a breach. Tracks do disappear, but logs remain as evidence that something happened.

Yes, you got it .

It was ran from a system temp folder, like temp/{a bunch of random numbers}, with the numbers changing each time and it being ran many times.

 

[Victor M]

I think I may have said it to you before. Build the 'golden' image. Then you won't have to deliberate on whether to re-install Windows. Work smarter.

 

[Practical Response]

Yes, you got it .

It was ran from a system temp folder, like temp/{a bunch of random numbers}, with the numbers changing each time and it being ran many times.

Programs can create temp files while running and delete them upon exit.

 

[The_King]

If you are running a paid version of Kaspersky then you can contact them for support has that is part of the paid service i believe.

Kaspersky Knowledge Base

Get technical support for Kaspersky applications for home & business. Find instructions, video manuals and tools to solve top issues.

support.kaspersky.com

This site also offers support for free malware removal. Read the sticky threads before posting.

Windows Malware Removal Help & Support

Get help removing adware, malware, spyware, ransomware, trojans, and viruses from Windows PCs. Follow the instructions in the pinned topics first. For security purposes, only authorized members may respond to requests for assistance.

malwaretips.com

 

[harlan4096]

Kaspersky Intrusion Prevention reports are not flags, they are logs. Intrusion Prevention logs all files running on the system, nothing more than that unless you have additional rules or the file is malicious which in that case startup is blocked.

You can enable this setting in Your Kaspersky Notifications settings:

 

[Brahman]

You can enable this setting in Your Kaspersky Notifications settings:

View attachment 282447

After the 21.16 update notification for "application placed in restricted group" was switched off for me. I was wondering why and could not find the setting to turn it on till now. Thank you.