Hello, I’m having a hard time removing a certain file. I’ve tried simply removing it, I’ve tried making the folder read only but it just creates new, I’ve tried deleting all registry keys but they just re-appear as well. CIS doesn’t detect it, rather Defense+ asks me if I allow it to do this and that.
I downloaded a program (a torrent, yes I’m guilty) upon installing I noticed this file called stdrt.exe that wanted to have access of my keyboard etc so I allowed it and allowed everything since I thought it was a part of the software I was installing, however after a few boots with the program in question turned off from auto-start, Defense+ kept telling me that stdrt.exe is trying to create the file C:\Windows\SysWow64\x86detect.bat and then the firewall also asks if I allow it to go out on the internet. I began choosing to block it but upon re-boot it has just created a new file so I’ll have to block those too.
Now what’s so interesting is that it’s located in C:\Windows\Temp\mrtXXXX.tmp\ (XXXX = random numbers/letters) and in those there are also a hand full of .ift and .mfx files. I tried just simply executing the stdrt.exe and defense+ tell me it requests unlimited access to my computer.
I was going to install CCE but then I noticed that it didn’t work on Windows 8 Consumer Preview… Wat do? ;_;
EDIT: I forgot to mention that the file is disguised as “Media Dashboard”, copyright to Microsoft and file version 6.0.0.0
I also added the files in C:\Windows\Temp (Only download these in a virtual environment or on a computer made for such things)
Post edited by jay2007tech
((((((I had to remove the attached file as it was located in the wrong llocation)))))
I’ll point you in the right direction https://forums.comodo.com/av-false-positivenegative-detection-reporting/how-to-report-malware-to-comodo-t80137.0.html
I’m guessing you don’t want it anymore
I’ve uploaded it to www.virustotal.com and nothing got flagged
so I allowed it and allowed everything since I thought it was a part of the software I was installing, however after a few boots with the program in question turned off from auto-start,
To start with,
Open CIS
Click on “Defence +”
Open “trusted files” and open “computer security policy” <–1 at a time"
Remove all the files in questions
When done click on “OK”, Or “Close”, but only if “OK” isn’t a choice
There’s software out there that’ll delete hard-to-delete stuff on reboot (below, I don’t know if it’ll work for windows 8)
The FileAssassin removes files that you don’t have access to remove, correct? Well I have access to remove it however it re-creates itself upon re-boot.
The same thing with RegAssassin, I can remove them but they re-appear on re-boot.
As for if I’m certain it’s malware, not really but why would a legit application insist on creating files in a temp folder that will recreate and that in turn creates a file in syswow64 that when created, isn’t even there and then tries to call to some IP address?
SUCCESS! I cranked up comodo heuristic to high and it found a file in SysWOW64 called “lnsecsl.exe” and apparently it’s supposed to be connected to Windows Dashboard (the same thing stdrt.exe said to be) so I removed it and then removed the stdrt.exe and registry files and now I’m not being bothered by that file re-appearing again.
I do realize that this could actually be a legit file and I just blocked something that was supposed to be there, but I’ve never needed it before and so I won’t need it now and having it bother me by creating randomly generating files in temp that triggers Defense+ is just beyond annoying.
My bet is that it’s legit and got installed with the program to do something, however the program works fine without it. Or that it’s actually a very sophisticated malware since googling lnsecsl.exe gives me that it’s supposed to be located in system32 and not SysWOW64.
As for if I'm certain it's malware, not really but why would a legit application insist on creating files in a temp folder that will recreate and that in turn creates a file in syswow64 that when created, isn't even there and then tries to call to some IP address?
Kind of sounds like adware. <------I couldn't tell you for sure
The FileAssassin removes files that you don't have access to remove, correct?
It deletes it on reboot (before windows loads up)
Either way my computer is working.
:■■■■
I do realize that this could actually be a legit file and I just blocked something that was supposed to be there, but I've never needed it before and so I won't need it now and having it bother me by creating randomly generating files in temp that triggers Defense+ is just beyond annoying.
I understand :) I figured you didn't want it and you need to start somewhere malware or not :)
