Author Topic: VESetupDll.dll founded as a threat  (Read 12678 times)

Offline klos

  • Newbie
  • *
  • Posts: 3
VESetupDll.dll founded as a threat
« on: March 27, 2010, 11:55:16 AM »
I made a scan with a hitman pro 3.5.4 and the result came as follow: VESetupDll.dll
Users\Administrator\AppData\Local\Temp\VESetupDll.dll  Suspicius
There are indications that this file is a treat. However it can also be bening.
This file is invisible. It is probably protected by cloaking technology (rootkit).
I found on Google that this file is probably from comodo verification engine but I am not sure and why it is invisible? Can anyone sort this out to make sure if this file is harmless or it is a rootkit.
thank you.
« Last Edit: March 28, 2010, 06:23:07 PM by klos »

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: VESetupDll.dll founded as a theat
« Reply #1 on: March 28, 2010, 12:15:14 AM »
Hi klos, welcome to the forum

1st please submit  the file for analysis to the vendor that flagged the item (Hitman Pro in this case)
Only that will give you a precise answer

Basically, the procedure is common for most of AVs - create passworded archive (ZIP or RAR) and attach the file to the e-mail that you  are going to send to the vendor.
Or the vendor may have an automatic file submission feature.

In addition you can send the file to Comodo … just in case,
… but keep in mind - since Comodo did not flag it – Comodo is not the one to be blamed
Whether that's real or False Positive detection - that was a detection by Hitman

Anyway....
... submitting to Comodo are described in this thread

In addition state the OS, Service Pack; the platform (32 or 64) you are using;
the version of CIS... currently installed (and the DB version if you are using Comodo's AV). All those things matters a lot when you are investigating

Then, we should not rely on the file names, but the said file (VESetupDll.dll) was present in the past (stressing) as a part of VE installation. As far as I remember that was very long time ago when VE was at its version 2.0.0.7...

I'm sure the developers will check the file submitted … but
either that is a different file indeed, or you did not clean your computer like for ages or ever ??? (file was found in temporary location)

Now VE's  version is 2.0.0.37 There is no such file here.

If you cannot see the file - that does not mean that it is “It is probably protected by cloaking technology (rootkit)" at all as you said .

The file may have hidden / system attribute(s) / it can be locked … all that can be triggered (changed manually)  and you will be able to see/access  it, … but the main point is:

since Hitman can see it – just submit at this stage  and you will be advised further by their developers

My regards.
« Last Edit: March 28, 2010, 10:09:25 PM by SiberLynx »
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

Offline klos

  • Newbie
  • *
  • Posts: 3
Re: VESetupDll.dll founded as a theat
« Reply #2 on: March 28, 2010, 05:58:59 AM »
Hi
Thanks for advice but there is a little problem, I can`t submit this file as comodo CIS does not see it. I don`t know how to make it visible. I did not remove this file because I fought that is comodo file and it is false positive but You are telling me  that no such file in CVE.  I have installed  CVE 2 weeks ago and my computer is scanned regularly. I have vista home premium 32 bit. service pack 2 every program is patched to its newest version CIS4 and avira instead of comodo antivirus . My computer works fine there is no visible activity of any infection only the hitman see this suspicious file, and it is cloaked  as hitman said because windows can`t see it.
This computer has never been infected and this file had to came recently. Is any way to make it visibly and submit for analyse? My hitman does not have an option to submit file maybe because it is free version
Thank You
« Last Edit: March 28, 2010, 06:36:31 AM by klos »

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: VESetupDll.dll founded as a threat
« Reply #3 on: March 29, 2010, 01:36:25 AM »
Thanks for reply, klos.

As I pointed, there is no such file currently neither on XP nor on Win 7 x64, where the latest version of the Vengine installed

The reference to  VESetupDll.dll can be found e.g here and that's the only idea that came to my mind  when the file was mentioned.

Other than that, as I said either the developers will confirm that the file may be present or it is leftovers from very old installations or that is absolutely different file that has nothing to do with Comodo's Vengine.

Another thing to consider - if supposedly the file belongs to “some Setup” - please get use to it – the Setups; Uninstallers and their components are very often False Positively flagged by many different Security Packages. There are reasons for that and that most likely will not change,... so never rush to delete files like that, because as minimum you may have problems with Setups/Reparing/ Uninstalling absolutely legit Software. Investigate … That's actually what you are doing, which is correct.

Getting back to detections and you terminology: “comodo CIS does not see it»
Why should it? We are talking about the result of the scan (stressing) by different security – Hitman – “It can see it... therefore it flagged it”... Comodo - should not “see it” during the scan.

Please tell what part of Hitman alerted you? Was is just a scan or its behavioral component were notifying about some process/activity?
That is different and would be important to know.


Then,  you have difficulties with submitting to Hitman. That is the question to their forum basically...

... but can you see it ?

What happens when you open ...Users\Administrator\AppData\Local\Temp\  folder?

If you cannot see the file,  do you know how to set “hidden” / “system” files so they are exposed?

Please try the following:

Explorer > Tools > Folder Options... > View Tab

- Hidden files and folders > set “Show” radio-button;
- Uncheck “Hide protected operating system files” (remember to set the latter back despite that is not a security risk at all leaving it un-ticked)

Please tell if you can see the file now, and if you can then (copy create passworded compressed file   & submit it as recommended)

Cheers!

P.S. in addition when and if you are able to access the file you may use the thread created by Chiron  here as well as a part of the investigation ... but the main "player" who can and should give an answer is still the Hitman.
« Last Edit: March 29, 2010, 01:44:58 AM by SiberLynx »
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

Offline jay2007tech

  • Malware Research Group
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2309
Re: VESetupDll.dll founded as a threat
« Reply #4 on: April 19, 2010, 11:18:38 AM »
what ever anti-virus that flagged it, can be report as a false positive
The list of e-mail AV companys can be found here (To report it)

https://forums.comodo.com/virusmalware-removal-assistance/links-to-report-malware-to-all-major-avs-t51387.0.html

You said you couldn't find the invisable file
do this, depending on the windows version you have (look under "xp or vista"
Quote
Windows XP and Windows 2003

To enable the viewing of Hidden files follow these steps:

   1. Close all programs so that you are at your desktop.
   2. Double-click on the My Computer icon.
   3. Select the Tools menu and click Folder Options.
   4. After the new window appears select the View tab.
   5. Put a checkmark in the checkbox labeled Display the contents of system folders.
   6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
   7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
   8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
   9. Press the Apply button and then the OK button and shutdown My Computer.
  10. Now your computer is configured to show all hidden files.

Windows Vista

To enable the viewing of Hidden files follow these steps:

   1. Close all programs so that you are at your desktop.
   2. Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
   3. Click on the Control Panel menu option.
   4. When the control panel opens you can either be in Classic View or Control Panel Home view:

      If you are in the Classic View do the following:
         1. Double-click on the Folder Options icon.
         2. Click on the View tab.
         3. Go to step 5.

      If you are in the Control Panel Home view do the following:
         1. Click on the Appearance and Personalization link .
         2. Click on Show Hidden Files or Folders.
         3. Go to step 5.

   5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
   6. Remove the checkmark from the checkbox labeled Hide extensions for known file types.
   7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
   8. Press the Apply button and then the OK button and shutdown My Computer.
   9. Now Windows Vista is configured to show all hidden files.

Hope this helps ;)
It's hard being a crooked Admin when the files won't pass an md5checksum test.  But like any other good crooked Admin it can be done, it just takes time(and lots of it) and a few aspirins

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek