I’ve got an “odd case” at a client site.
A SonicWall security appliance claims one machine as the “injector.VMX” trojan / virus on it.
The Trend Micro antivirus on the machine says it is clean.
Trying to find out more about “injector.VMX” comes up with very little. Mostly some “scareware” sites trying to get me to install their supposed “fix” when I know nothing about their sites or the fix. CERT didn’t pop anything that I could find.
So I’m at a bit of a loss how to proceed.
Any information about it, or how to remove it, or if it is really something else, frankly, anything would help.
Being at best a mediocre Windows PC Guy, I’m a bit out of my depth on this one.
Looks like it is likely a “False Positive” on the SonicWall:
https://www.reddit.com/r/sonicwall/comments/ns5sfd/anyone_else_getting_numerous_gav_blocks_from_the/
Started the same “4 days ago” as the report I ran into.
Other folks getting the same pattern:
So “never mind”…
Watch the SQL injections.
How to remove it:
https://howtoremove.guide/injector-vmx-trojan/
More info:
https://adwareremoval.info/msil-injector-vmx/
From the Sonic Wall dashboard …
https://tz400.demo.sonicwall.com/systemDashboardView.html
From my grandson. Who is the most expert person I know about Windows/Intel stuff;
‘Injector:VMX is a behavior-based flag. Means it sent or received a file or packet that looked like it had an application that could inject code into another application or into Windows’ boot at runtime.
Some antiviruses will flag tools like Sk8r and KMSPico (Windows Hack-Activation software/) as Injector:VMX.
”
They run at such a low level, an antivirus running on the computer can’t even see it. Tell the client to install the boot drive of the flagged machine in another machine as a secondary HDD, then have TrendMicro scan it from there.
Nothing to say on this issue, but . . .
I got a phishing (sp. ?) email this morning from a site claiming to be McAfee Security and wanting me to connect or call and pay about $600 via an auto-pay deal.
I hit the “report as spam” button (using gmail).
Is there a computer term for an on-screen button? ’cause it is not a real button.
John
@Jim2:
The “howtoremove” site is one of the “scareware” sites I was talking about. Mostly pushing their “fix it” software. They have a lot of “Bum’s Rush” push to install their software and not much actual information about the trojan.
@P.G.:
Thanks for that idea (moving boot disk to another machine and then scanning). I’ll keep that in the back pocket “just in case”.
As of now, it looks very much like the SonicWall “signature” is picking up Quickbooks too and having a bit of a tizzy over a non-virus application. I.e. the “signature” is slight and close enough to Quickbooks that it gives a False Positive.
This would explain the sudden onset AFTER the Sonicwall was in place (new signature update happened) and while Trend Micro AV was installed and running. I.e. “how did it get in?” Answer: It didn’t get in… It also explains why there was zero unexpected CPU activity (monitoring at a detail level showed nothing out of the ordinary on the box).
So at this point, I’m mostly going to assure the “Signatures” are updated with whatever Sonicwall pushes as the replacement, then let things run again for a few days (when the machine ought to no longer be flagged…).
@John Hultquist:
I don’t know if it is Apple Specific terminology or not, be we always just called them “Radio Buttons”.
You have a choice of a few “buttons” and pushing one of them makes something happen.
https://en.wikipedia.org/wiki/Radio_button
I found the false positives as well. However, I did find one site, that I do trust, that says they can remove it (it is freeware)
http://www.combo-fix.com/threat-database/injector-vmx-threat-alert/
I have used Combofix several times when all else failed to rid a computer of a bad bug.
Which side would you rather be on, the hacker or anti-hacker ?
Anti-hacker sounds like more fun :)