|
a-squared Support
»
 English Forums
»
a-squared HiJackFree
»
Suspicious modul loaded everywhere
|
|
Rank: Newbie
Groups: Member
Joined: 8/13/2009
Posts: 4
|
Hello
There's a dll I found under perhaps all the applications I look into for details on loaded modules. But I don't see why my launch pad's component would need to be loaded by other applications.
dcx3.dll - is the component I'm complaining about. Do I need to submit the program or is it enough to link here ? {*** http :/ www. rodi. dk /software_ pl3. php ***} - this is a piece of software I highly appreciate, but it gives me reason to worry all too often. So, I'd really like to get some feedback, and have the program/dll blacklisted/identified if there's something wrong.
This one sticks out because of it's path, but who know what all those other dlls are doing. How can we talk about computer security if anything just loads into anything ? what's going on ? have I been monitored by a trojan the last two years ?
{*** edited by moderator}
|
|
Rank: Advanced Member
Groups: Member, Moderation
Joined: 2/24/2006
Posts: 4,495
Location: Australia
|
Hi valeriu,
Welcome to the forum
First, I edited the link in you initial post.
If that is about the Software in question please do not post them in “clickable form”.
The Software you referred to could be ProgramLaunch type of windows customization like Objectdock or RocketDoc...
As a matter of fact the link itself is blocked by default with my Firefox settings.
Another point is - that is not the correct way to investigate the problem.
Nobody including developers will download and install the Software.
If you have flaggings by a-squared please save report and submit flagged items to EMSI for analysts because the code needed in order to answer questions.
- create new thread in Free or Anti-Malware section (depending on edition you have) if you have questions about submitting/investigating the matter.
Save the report by a2 if there are flaggings;
- if you want the professional to review The HiJackFree on-line report, please create such report as it's written in the documentation and provide the link to that report;
- if your computer is misbehaving and you want full check-up of your PC then
=======
Read the following instructions in
http://forum.emsisoft.com/Default.aspx?g=posts&t=1930
Prepare and post the required log files into Malware Removal section of the forum
(create new thread there)
Wait for reply from ShadowPuterDude, Katana, or JeanInMontana for assistance and further instructions.
=======
My regards
P.S. 1) Posting just the name of alleged infection/or file name does not provide any information.
The location of the files / precise names of files and/or Registry Entries ; processes, etc. are required. The same applies to the detections names. All that info should be in the saved report produced by a-squared. That will be one of the steps in the instruction
2) In addition it is always helpful to provide more detailed info about your System Environment:
OS; service Pack; platform (x86 or x64); other security Software especially those with real-time Guards and other background processes running; Firewall; etc.
XP Pro, SP3 (32-bit); a2-Free 4.5.0.21(beta); Firewall: Comodo CIS (Defense+ HIPS); Software DEP: integrated into Firewall; Anti-Malware: Mamutu 2.0.0.23 (beta); Verification Engine PlugIn (resident); AntiVirus: AVG Free (guard resident); SpyBot SD (+TeaTimer resident)
|
|
Rank: Newbie
Groups: Member
Joined: 8/13/2009
Posts: 4
|
Hi Lynx, thank you for your prompt reply, however we don't seem to be on the same page.
Lynx wrote:Hi valeriu,
Welcome to the forum
First, I edited the link in you initial post.
If that is about the Software in question please do not post them in “clickable form”.
...
Quote:As a matter of fact the link itself is blocked by default with my Firefox settings.
Another point is - that is not the correct way to investigate the problem.
Nobody including developers will download and install the Software.
Won't happen again. But I don't see why this is an issue and I don't understand since I can always submit the software to you here: http://www.emsisoft.com/en/support/submit/
Quote:The Software you referred to could be ProgramLaunch type of windows customization like Objectdock or RocketDoc...
Yes it is, and I know what it is. I've put it there. But it might be a trojan doing something "unmarketed" in the background. The program's name is exactly that ProgramLaunch. As I said, I've been using this and it is very useful to me. I just don't know why its module is loaded everywhere. It's not flagged or anything, it passes scanning with the current definitions. And it passes with all the other antivirus software I tried. However, I doubt it's a highly used software, thus, perhaps it was never detected for what it is.
So my question once again, should you get worried at least a little if your standalone application's component shows up as being loaded by a load of (probably every) other applications ?
Quote:If you have flaggings by a-squared please save report and submit flagged items to EMSI for analysts because the code needed in order to answer questions.
The program passes current scans with a-squared. No flags, no nothing. I'm using a-squared anti-malware.
Quote:- create new thread in Free or Anti-Malware section (depending on edition you have) if you have questions about submitting/investigating the matter. Save the report by a2 if there are flaggings; - if you want the professional to review The HiJackFree on-line report, please create such report as it's written in the documentation and provide the link to that report; - if your computer is misbehaving and you want full check-up of your PC then ======= Read the following instructions in http://forum.emsisoft.com/Default.aspx?g=posts&t=1930Prepare and post the required log files into Malware Removal section of the forum (create new thread there)Wait for reply from ShadowPuterDude, Katana, or JeanInMontana for assistance and further instructions. ======= My regards
We are not looking for an uknown threat, are we ? Nevertheless, I'll take a look at what I can find by following these instructions, and if something is suspicious, I'll take the opportunity thank you.
Quote:P.S. 1) Posting just the name of alleged infection/or file name does not provide any information. I'm not claiming infection. I'm claiming suspicion, and the reason for suspecion - if it's a valid reason, please let me know. Quote:The location of the files / precise names of files and/or Registry Entries ; processes, etc. are required. Since you can extract the program anywhere, paths are irrelevant. Quote: The same applies to the detections names. There are none. Quote:All that info should be in the saved report produced by a-squared. That will be one of the steps in the instruction
2) In addition it is always helpful to provide more detailed info about your System Environment:
OS; service Pack; platform (x86 or x64); Win XP SP3 x86 Quote:, other security Software especially those with real-time Guards Comodo CIS (with everything but firewall dissable for the moment, as I'm relying on a-squared right now) Quote:and other background processes running; Firewall; etc. I'll provide the rest of the info if justified.
If I missed to comprehend something I'm sorry. Thank you for your support.
|
|
Rank: Advanced Member
Groups: Member, Moderation
Joined: 2/24/2006
Posts: 4,495
Location: Australia
|
Hi valeriu,
Thanks for reply and such thorough reading/answering my post.
The link you showed for submitting is correct but as you can see you can submit the file or set of files which are specifically reside on your PC. That is different to showing the link from where Software you are using was downloaded.
You will send a compressed passworded archive with those files you are considering suspicious for code examination.
The files indeed may not be flagged by a-squared, but they may be flagged by other security, so you may think that a2 missed the detection. Therefore it called “new malware”.
valeriu wrote:We are not looking for an uknown threat, are we ?
I don't know ( ). You were suspecting the behaviour that made you think so....
I was going to ask whether there are any Alerts /blockingks from your firewall when the said DLL when the Software is trying “go out”/ “call home”/ etc,, so you may think that you are dealing wil “trojan-like” behaviour, but you current description says
valeriu wrote:Comodo CIS (with everything but firewall dissable for the moment, as I'm relying on a-squared right now)
You must have firewall (FW) and it is better to have such 3rd party FW as Comodo or Online Armor, because the native Windows one does not control outgoing traffic.
a-squared Anti-Malware, despite providing several strong levels of protection by no means can be used without FW.
I hope you read about that im many places and in addition you can read this EMSI article
http://www.emsisoft.com/en/kb/articles/tec090701/
Other things are still unclear and that is not enough information in order to understand and answer your statement that the said DLL valeriu wrote:component would need to be loaded by other applications.
....
its module is loaded everywhere. and valeriu wrote:Since you can extract the program anywhere, paths are irrelevant. I am afraid the that those are not the statements that can lead to any conclusions and answers at all
I am using RocketDock – I don't see such behaviour or any suspicious symptoms.
Well to be honest the Mamutu fired up few Alerts about RocketDock. There were:“NewProcess” “RemoteComtrol” and
 , but I did understand those and allowed.
The outgoing connection could seen just because there is auto-update set, for example
Other than that it's necessary somehow to show what do you mean by such loading by other and many Applications.
Definitely, one of the ways is tasking the forum and developers of the ProgramLaunch.
That I would do in the 1st place.
Not much I can add at this stage
My regards
XP Pro, SP3 (32-bit); a2-Free 4.5.0.21(beta); Firewall: Comodo CIS (Defense+ HIPS); Software DEP: integrated into Firewall; Anti-Malware: Mamutu 2.0.0.23 (beta); Verification Engine PlugIn (resident); AntiVirus: AVG Free (guard resident); SpyBot SD (+TeaTimer resident)
|
|
Rank: Newbie
Groups: Member
Joined: 8/13/2009
Posts: 4
|
Hi 
Now the idea that my files would be different from what I originally downloaded sounds interesting. But I will comply. 
When I meant uknown thread or not: i meant, here's this module that's bothering me, we know it. Whether it is a threat or not, that's a questiom though.
No. There's are no outgoing alerts. But if this things is hooked into everything, than it could go out through any other app that's allowed to do so, or can't it ?
I meant to write: "with everything BUT firewall dissableD for the moment." I tried to make it easier on my system, but it's back on now. I never dissable my firewall.
I don't know what's unclear about the rest though.
There's a dll in the program launch's directory: dcx3.dll. In HiJack free, if I select any of the applications I get a list with file properties, process details and loaded modules under which is a list of dlls. What is C:\program files\program launch\dcx3.dll doing under a2guard.exe ???
I'm not trying to be counter-productive by not providing paths.
It doesn't behave suspeciously. It doesn't update, everything is fine except I don't see why the module from one up is loaded under al the others. On the other hand, if ithis thing is a trojan, I don't see why the developers would reveal that.
Thanks for trying, but you need to understand the question I highlighted in order to help me.
|
|
Rank: Advanced Member
Groups: Member, Moderation
Joined: 2/24/2006
Posts: 4,495
Location: Australia
|
valeriu wrote:Thanks for trying, but you need to understand the question I highlighted in order to help me Valeriu,
I do understand what is your concern, but I may repeat that the way you are providing information is not sufficient enough to help you.
You rather not providing anything at all.
I suggested several things already, so you can show this way or another what do you mean by valeriu wrote: this things is hooked into everything
...Now you are saying that you did not disable the firewall (that is inconsistent!)
If so, and Comodo is working (“now again" - there would be another source of making reports / asking questions /etc. in addition to what I posted already.
You are insisting that the said DLL is "hooked to everything”,
... but
- you did not post neither reports to developers of the Software;
- nor HiJackFree on-line (or any other) report so the specialist can review it;
- you do not post (I am sure any info to Comodo team, asking that you are suspecting a Trojan – there should be hundreds of blockings in the report there or there should be “Allow” rule respectively;
- you are not sending any information to EMSI team about valeriu wrote:What is C:\program files\program launch\dcx3.dll doing under a2guard.exe
and saying just valeriu wrote:I'm not trying to be counter-productive by not providing paths.
Sorry, but being a programmer for many years I cannot answer questions remotely without having any information provided....
"I rest my case"
I hope somebody can add questions & suggestions
My regards
XP Pro, SP3 (32-bit); a2-Free 4.5.0.21(beta); Firewall: Comodo CIS (Defense+ HIPS); Software DEP: integrated into Firewall; Anti-Malware: Mamutu 2.0.0.23 (beta); Verification Engine PlugIn (resident); AntiVirus: AVG Free (guard resident); SpyBot SD (+TeaTimer resident)
|
|
Rank: Newbie
Groups: Member
Joined: 8/13/2009
Posts: 4
|
To tell you the truth, when I first saw your answer, I ended up smiling. I would have never expected such a confusion, but it's growing exponentially. So let's put a stop to it. I don't know what goes wrong but there are certainly missunderstandings, like with my firewall.
"Everything BUT firewall disabled" means that the firewall is on, but there are two other parts of CIS - antivirus and defense+ which were off. I wasn't inconsistent. You failed to understand or I wasn't clear enough.
According to HiJackFree these are modules:
How did dcx3.dll get on the list under asquared ? I'm not sure if saying that dcx3.dll is hooked into asquared is correct, but there's no need for words now. I tried to explained it thoroughly in the previous posts, instead of approximating things with a word as "hooked". You have it all in the next pic.
What is what I underlined have to do there ?
And what more info am I to send about: "What is C:\program files\program launch\dcx3.dll doing under a2guard.exe" - this is all I have. You now see what I saw. You say you undertand my concern, yet you don't say whether my concern is justified or not. Which is the only answer I need, but I haven't seen it so far. I must to conclude that something's lost in translation.
You insist on me posting logs I don't have, like you'd need to look for a needle in a bunch of simptoms, instead of taking a look at the application itself with the tools you have, to get a full picture. I don't know what information you want, and I'm not savy enough to provide them for you. In order to get those logs I need to work myself throgh help files, yet you don't answer a question. Looking back, perhaps it would have been easier. But i'm not ranting, nor do I complain, I'm just trying to set things straight and find a common ground.
I will submit a passworded archive of the program once you confirm that you understand what I meant by hooked and what worried me in the first place, and I have reason to do so.
This was never meant to become such a long thread...
|
|
Rank: Advanced Member
Groups: Member, Moderation
Joined: 2/24/2006
Posts: 4,495
Location: Australia
|
valeriu wrote:... when I first saw your answer, I ended up smiling...
you may continue doing that.
Some people would probably even laugh.
I am laughing too, nothing wrong with that. - that's how we express our feelings
Smiles and laughter are very healthy as a matter of fact.
valeriu wrote:... You failed to understand …
Well, it happens … and that could be frustrating to anybody who is willing to solve problems and failing. But there are differences in failures:
When we are solving problems being fed with appropriate information and asking new questions and getting another set of information … and cannot get a solution – that is frustrating , but that is normal process and set of events , where we will succeed being persistent.
Trying to solve a problem, that is not formulated properly and does not have any set of parameters/factors based on which you can even start to understand what's going on will always lead to a complete failure. Formulating the question itself is not a trivial matter as well, moreover that (the correct question) is the 1st and most important step towards the success.
Who would not fail in this situation? So, I am not offended by the alleged "failure".
The images are very often very helpful they may tell 1000ds words “Every Picture Tells a Story”
... but not those you provided … moreover there were not required at this stage...
What is required was told above.
Click on any process in the list and you will get “Properties”; Process details” ….and currently “Loaded modules:” below
now, the thing (you Launcher ) is working and you underscored some DLL, most likely belonging to it … so what?
Select another process – you most likely will see the same dll loaded …
If you want to find out the precisely what is going on and what DLL is loaded by what module what kind of procedure of that DLL is currently used by what module, how the image ocupies the memory and so on... grab some Tools in addition to HJF like from SysInternals (ProcessExplorer, ProcMonitor, VMmap, DbgView, etc.) and say NirSoft (RegDLLView; RegScanner...etc) have them handy.
Ask the question appropriately in appropriate place(s) provide the information you were asked to provide and probably you will get an answer eventually
In this particular case I think you should not be worry a lot... but if you want find a lot... there was “nuf said”
and yes … what the heck! Let's continue smiling
Regards
P.S. {added}
 here is Mamutu process (same as Anti-Malware in your case) and the Loaded modules list. RocketDock.dll is there
 RocketDock is excluded from monitoring
 RockedDock is up and running.
Where is RocketDock.dll amongst Loaded modules?
XP Pro, SP3 (32-bit); a2-Free 4.5.0.21(beta); Firewall: Comodo CIS (Defense+ HIPS); Software DEP: integrated into Firewall; Anti-Malware: Mamutu 2.0.0.23 (beta); Verification Engine PlugIn (resident); AntiVirus: AVG Free (guard resident); SpyBot SD (+TeaTimer resident)
|
|
|
Guest User |
|