Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 4354 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Repeated Andr/DoidRoot-A alerts for temp files in Windows User Temp directory

JW0914

I've been receiving consistent alerts for what Sophos EPS is claiming is an Andr/DoidRoot-A virus/trojan infection, however because EPS locks the temp files immediately, I'm unable to verify what information is contained within them.  

This alert, according to the two web pages EPS links to, 1 & 2, alerts to an apk, of which not only can't run on Windows, but wouldn't create temp files in the user temp directory (temp files are created by a running application/service after all).

All the temp files Sophos EPS is flagging all begin with tmp followed by a 6 digit hexadecimal group with no file extension (for example, tmpmkw8ck)

I'm not sure of how to trace what program is creating the temp files, but if someone could point me in the right direction of how, I'd appreciate it.

These temp files are created upon boot and cycle through quite regularly and my hunch is they're related to the File History backup that I have turned on in Windows 10.

 Please let me know if additional info is required.   

Excerpt from EPS log: PasteBin



This thread was automatically locked due to age.
Parents
  • 0

    Hello JW0914,

    an apk, of which not only can't run on Windows, but wouldn't create temp files [:)]
    some facts correct, conclusion not quite. Files without extension are normally scanned, the scanner assesses their "True File Type" (as it does with all files) by analyzing their structure, apparently concludes these are APKs, and subsequent deeper scanning detects them as malware targeted at Android.

    The location suggests that a process running under User's context is responsible. There's the Source of Infection Tool which might help (Windows 10 isn't listed as supported OS though this might be an omission). Also turning off automatic cleanup might (or might not) enable you to catch one of these files.

    Christian 

Reply
  • 0

    Hello JW0914,

    an apk, of which not only can't run on Windows, but wouldn't create temp files [:)]
    some facts correct, conclusion not quite. Files without extension are normally scanned, the scanner assesses their "True File Type" (as it does with all files) by analyzing their structure, apparently concludes these are APKs, and subsequent deeper scanning detects them as malware targeted at Android.

    The location suggests that a process running under User's context is responsible. There's the Source of Infection Tool which might help (Windows 10 isn't listed as supported OS though this might be an omission). Also turning off automatic cleanup might (or might not) enable you to catch one of these files.

    Christian 

Children
No Data
Unfiltered HTML