Solved Possible Network Intrusion.

Status
Not open for further replies.

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,763
I’ve used K VPN earlier and I also used K VPN and the file wasn’t ran when I was using it, only delayed and after.

It just was ran one day multiple times from a different system temp folder each time and I wasn’t interacting with a VPN at that time.

It was also setupapihost.dll, not setupapi.dll
Did you try uploading to VirusTotal?
Please provide us with a link to the VT report so we can see what’s going on. Otherwise we are unable to judge just by the filename. Once you’ve uploaded the file, if needed, we will ask @struppigel who can solve the most difficult malware questions. He’s the malware analysis master when we can’t reach a verdict.
 

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Did you try uploading to VirusTotal?
Please provide us with a link to the VT report so we can see what’s going on. Otherwise we are unable to judge just by the filename. Once you’ve uploaded the file, if needed, we will ask @struppigel who can solve the most difficult malware questions. He’s the malware analysis master when we can’t reach a verdict.
I can’t obtain the file. When I open the file directory it was ran from it just takes me to desktop folder, not system temp.
 

Victor M

Level 9
Verified
Well-known
Oct 3, 2022
424
Remember that even benign files can be used for malicious purposes. You know of LoL bins. So a negative answer from VirusTotal may not mean much. And it was Kaspersky that flagged the file; that weighs heavily against it. People may think it is a false positive, but consider also where it is located. I couldn't even find that file in my Win 11 Pro.
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,763
I can’t obtain the file. When I open the file directory it was ran from it just takes me to desktop folder, not system temp.
Malware infection is not to be excluded as you are mentioning random directory names and you are unable to obtain the file, to confirm it is safe.
Initiate procedures suitable for dealing with malware infection. Run a few second opinion scanners or maybe start a thread in the malware removal section to get better assistance.

I see that setupapihost.dll has been associated with malware infections (RATs) before. Without the file and more information, we can only do so much.
 
  • Like
Reactions: oldschool

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Remember that even benign files can be used for malicious purposes. You know of LoL bins. So a negative answer from VirusTotal may not mean much. And it was Kaspersky that flagged the file; that weighs heavily against it. People may think it is a false positive, but consider also where it is located. I couldn't even find that file in my Win 11 Pro.
Never flagged the file. I just saw it in the intrusion prevention reports.

Malware infection is not to be excluded as you are mentioning random directory names and you are unable to obtain the file, to confirm it is safe.
Initiate procedures suitable for dealing with malware infection. Run a few second opinion scanners or maybe start a thread in the malware removal section to get better assistance.

I see that setupapihost.dll has been associated with malware infections (RATs) before. Without the file and more information, we can only do so much.
Where do you see it being associated with RAT’s?

I suspect malware infection as display file extensions was also turned off later in the day. I bought a USB but I don’t know what device to download windows from since there isn’t one that I’m 100% sure is clean. I’ll get a iso done though and reset from a image to be safe.
 

Victor M

Level 9
Verified
Well-known
Oct 3, 2022
424
I consider an IPS report a flag. K might not have positively identified the file as malicious, but K covers all angles, and IPS is one of it's arsenal.

What you should do this time around. Download WHH, all other security tools that don't use online-setup-installs and a disk image program. Copy them off to a USB stick. Then re-install Windows and apply all the security tools and configurations. Then make a disk image while still offline. Save that image offline somewhere. This is so that you will have a safe, still offline, guaranteed un-breached image; ready to deploy. It will save you countless hours of work. And you don't have to re-consider how much work you have to go through when deciding whether to re-install Windows.
 
Last edited:

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
I consider an IPS report a flag. K might not have positively identified the file as malicious, but K covers all angles, and IPS is one of it's arsenal.

What you should do this time around. Download WHH, all other security tools that don't use online-setup-installs and a disk image program. Copy them off to a USB stick. Then re-install Windows and apply all the security tools and configurations. Then make a disk image while still offline. Save that image offline somewhere. This is so that you will have a safe, still offline, guaranteed un-breached image; ready to deploy. It will save you countless hours of work. And you don't have to re-consider how much work you have to go through when deciding whether to re-install Windows.
Kaspersky Intrusion Prevention reports are not flags, they are logs. Intrusion Prevention logs all files running on the system, nothing more than that unless you have additional rules or the file is malicious which in that case startup is blocked.

I’m going to iso reset windows when I get my PC back as the GPU is damaged in it unfortunately. I sent it in asking for a replacement GPU so I don’t have it back for another week and a half.

setupapihost.dll is part of the configuration from set up of wire guard.

As I stated already setupapi.dll is responsible for managing device installation and configuration processes.
I remember asking about this a while ago on other forums and I remember saying it was related to wireshark. Is there anything named this related to wireshark? I could be mixing up names.
 

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Setupapihost.pdb is mentioned there in the context if Agent Tesla. It could’ve been a cracked installer.
But you are unable to obtain the file and confirm its safety so I would suggest you take steps to check your system.
Plan on system resetting it very soon.
Setupapihost.dll isn’t the same thing as .pdb though right? Or am I missing something.

Also no cracked installer on my end. I never installed wireguard, I just saw setupapihost.dll appear on my system.
 

Victor M

Level 9
Verified
Well-known
Oct 3, 2022
424
So you found a suspicious file in a log. And that folder has since disappeared. Do I read you correctly this time?

Logs are all we can rely upon when tracing a breach. Tracks do disappear, but logs remain as evidence that something happened.
 

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
The official wire guard client for windows installs a wintun driver, setupapihost.dll is part of the configuration from building it.
What I thought it was.

So you found a suspicious file in a log. And that folder has since disappeared. Do I read you correctly this time?

Logs are all we can rely upon when tracing a breach. Tracks do disappear, but logs remain as evidence that something happened.
Yes, you got it 👍.

It was ran from a system temp folder, like temp/{a bunch of random numbers}, with the numbers changing each time and it being ran many times.
 

Victor M

Level 9
Verified
Well-known
Oct 3, 2022
424
I think I may have said it to you before. Build the 'golden' image. Then you won't have to deliberate on whether to re-install Windows. Work smarter.
 

The_King

Level 12
Verified
Top Poster
Well-known
Aug 2, 2020
543
If you are running a paid version of Kaspersky then you can contact them for support has that is part of the paid service i believe.

This site also offers support for free malware removal. Read the sticky threads before posting.
Screenshot 2024-03-27 at 09-06-27 Windows Malware Removal Help & Support.png


 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,692
Kaspersky Intrusion Prevention reports are not flags, they are logs. Intrusion Prevention logs all files running on the system, nothing more than that unless you have additional rules or the file is malicious which in that case startup is blocked.

You can enable this setting in Your Kaspersky Notifications settings:

1711522507468.png
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top