I made a scan with a hitman pro 3.5.4 and the result came as follow: VESetupDll.dll
Users\Administrator\AppData\Local\Temp\VESetupDll.dll Suspicius
There are indications that this file is a treat. However it can also be bening.
This file is invisible. It is probably protected by cloaking technology (rootkit).
I found on Google that this file is probably from comodo verification engine but I am not sure and why it is invisible? Can anyone sort this out to make sure if this file is harmless or it is a rootkit.
thank you.
Hi klos, welcome to the forum
1st please submit the file for analysis to the vendor that flagged the item (Hitman Pro in this case)
Only that will give you a precise answer
Basically, the procedure is common for most of AVs - create passworded archive (ZIP or RAR) and attach the file to the e-mail that you are going to send to the vendor.
Or the vendor may have an automatic file submission feature.
In addition you can send the file to Comodo … just in case,
… but keep in mind - since Comodo did not flag it – Comodo is not the one to be blamed
Whether that’s real or False Positive detection - that was a detection by Hitman
Anyway…
… submitting to Comodo are described in this thread
In addition state the OS, Service Pack; the platform (32 or 64) you are using;
the version of CIS… currently installed (and the DB version if you are using Comodo’s AV). All those things matters a lot when you are investigating
Then, we should not rely on the file names, but the said file (VESetupDll.dll) was present in the past (stressing) as a part of VE installation. As far as I remember that was very long time ago when VE was at its version 2.0.0.7…
I’m sure the developers will check the file submitted … but
either that is a different file indeed, or you did not clean your computer like for ages or ever ??? (file was found in temporary location)
Now VE’s version is 2.0.0.37 There is no such file here.
If you cannot see the file - that does not mean that it is “It is probably protected by cloaking technology (rootkit)" at all as you said .
The file may have hidden / system attribute(s) / it can be locked … all that can be triggered (changed manually) and you will be able to see/access it, … but the main point is:
since Hitman can see it – just submit at this stage and you will be advised further by their developers
My regards.
Hi
Thanks for advice but there is a little problem, I cant submit this file as comodo CIS does not see it. I dont know how to make it visible. I did not remove this file because I fought that is comodo file and it is false positive but You are telling me that no such file in CVE. I have installed CVE 2 weeks ago and my computer is scanned regularly. I have vista home premium 32 bit. service pack 2 every program is patched to its newest version CIS4 and avira instead of comodo antivirus . My computer works fine there is no visible activity of any infection only the hitman see this suspicious file, and it is cloaked as hitman said because windows can`t see it.
This computer has never been infected and this file had to came recently. Is any way to make it visibly and submit for analyse? My hitman does not have an option to submit file maybe because it is free version
Thank You
Thanks for reply, klos.
As I pointed, there is no such file currently neither on XP nor on Win 7 x64, where the latest version of the Vengine installed
The reference to VESetupDll.dll can be found e.g here and that’s the only idea that came to my mind when the file was mentioned.
Other than that, as I said either the developers will confirm that the file may be present or it is leftovers from very old installations or that is absolutely different file that has nothing to do with Comodo’s Vengine.
Another thing to consider - if supposedly the file belongs to “some Setup” - please get use to it – the Setups; Uninstallers and their components are very often False Positively flagged by many different Security Packages. There are reasons for that and that most likely will not change,… so never rush to delete files like that, because as minimum you may have problems with Setups/Reparing/ Uninstalling absolutely legit Software. Investigate … That’s actually what you are doing, which is correct.
Getting back to detections and you terminology: “comodo CIS does not see it»
Why should it? We are talking about the result of the scan (stressing) by different security – Hitman – “It can see it… therefore it flagged it”… Comodo - should not “see it” during the scan.
Please tell what part of Hitman alerted you? Was is just a scan or its behavioral component were notifying about some process/activity?
That is different and would be important to know.
Then, you have difficulties with submitting to Hitman. That is the question to their forum basically…
… but can you see it ?
What happens when you open …Users\Administrator\AppData\Local\Temp\ folder?
If you cannot see the file, do you know how to set “hidden” / “system” files so they are exposed?
Please try the following:
Explorer > Tools > Folder Options… > View Tab
- Hidden files and folders > set “Show” radio-button;
- Uncheck “Hide protected operating system files” (remember to set the latter back despite that is not a security risk at all leaving it un-ticked)
Please tell if you can see the file now, and if you can then (copy create passworded compressed file & submit it as recommended)
Cheers!
P.S. in addition when and if you are able to access the file you may use the thread created by Chiron here as well as a part of the investigation … but the main “player” who can and should give an answer is still the Hitman.
what ever anti-virus that flagged it, can be report as a false positive
The list of e-mail AV companys can be found here (To report it)
You said you couldn’t find the invisable file
do this, depending on the windows version you have (look under “xp or vista”
Windows XP and Windows 2003To enable the viewing of Hidden files follow these steps:
- Close all programs so that you are at your desktop.
- Double-click on the My Computer icon.
- Select the Tools menu and click Folder Options.
- After the new window appears select the View tab.
- Put a checkmark in the checkbox labeled Display the contents of system folders.
- Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
- Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
- Remove the checkmark from the checkbox labeled Hide protected operating system files.
- Press the Apply button and then the OK button and shutdown My Computer.
- Now your computer is configured to show all hidden files.
Windows Vista
To enable the viewing of Hidden files follow these steps:
Close all programs so that you are at your desktop.
Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
Click on the Control Panel menu option.
When the control panel opens you can either be in Classic View or Control Panel Home view:
If you are in the Classic View do the following:
- Double-click on the Folder Options icon.
- Click on the View tab.
- Go to step 5.
If you are in the Control Panel Home view do the following:
- Click on the Appearance and Personalization link .
- Click on Show Hidden Files or Folders.
- Go to step 5.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now Windows Vista is configured to show all hidden files.
Hope this helps 