cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

SlimCleanerPlus.exe & DriverUpdate-Downloader[1].exe

Jump to solution
For the past several months we have been getting McAfee Malware alerts from many of endpoint machines. We would first get an alert saying it detected a Generic.dul Trojan. Target File Name: C:\Users\username\AppData\Local\Temp\nsf8A38.tmp\SlimCleanerPlus.exe and then a couple seconds later we would get another notification from the same endpoint pointing to Target File Name: C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G51HZ343\DriverUpdate-Downloader[1].exe. McAfee VirusScan is handling these threats by deleting them. I've tried to do some research on the issue, but have not been able to find much information about this alert. We get these alerts quite frequently (3-5 per day) from many different endpoints we manage and McAfee is handling the threat. I would like to see if anyone else has had this same issue and how we can determine what might be downloading these files. Is there any forensic tools we can use to check the source of these files?
1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: SlimCleanerPlus.exe & DriverUpdate-Downloader[1].exe

Jump to solution

Repeated detection for the same threat and same file would normally be due to the following two items:

--The product is detecting the written file, but not what is writing the file
--The users are repeatedly accessing the same compromised site, resulting in continued drive-by downloads for legitimate Malware

The above is under the assumption that the detection is not a false detection.  From what I can gather regarding SimCleanerPlus, there is actually a legitimate application named this, so then we have the question of whether or not the "Generic.dul" detection is accurate.  This is a generic signature, and generic signatures are usually the signatures involved in false detections.  It could also be that we have improprly classified this application as Malware, when in reality it is a PUP.

For some starting forensics, we also refer back to the process that is touching the file, and thereby allowing the scanner to produce detection.  This assumes that the detection is occurring in real-time, and not being detected by an On-Demand Scan.  If being detected in real-time, the On-Access Scanner log will tell us the source process.  From there, we can look at items such as dll's injected within that process, to see if perhaps there is something using the process to continually generate the files that are being detected.

Luckily, our support Malware specialists can ddefinitely help with this, and we would recommend opening a support case for live assistance for any Malware-related issues.  Perhaps the first action to entertain, is submitting the samples to McAfee Labs, so that we can validate whether or not the detection is legitimate, and in doing so it helps our support determine the next course of action.

Here is the KB for sample submission, just in the event it is needed:
https://kc.mcafee.com/corporate/index?page=content&id=KB68030

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: SlimCleanerPlus.exe & DriverUpdate-Downloader[1].exe

Jump to solution

Repeated detection for the same threat and same file would normally be due to the following two items:

--The product is detecting the written file, but not what is writing the file
--The users are repeatedly accessing the same compromised site, resulting in continued drive-by downloads for legitimate Malware

The above is under the assumption that the detection is not a false detection.  From what I can gather regarding SimCleanerPlus, there is actually a legitimate application named this, so then we have the question of whether or not the "Generic.dul" detection is accurate.  This is a generic signature, and generic signatures are usually the signatures involved in false detections.  It could also be that we have improprly classified this application as Malware, when in reality it is a PUP.

For some starting forensics, we also refer back to the process that is touching the file, and thereby allowing the scanner to produce detection.  This assumes that the detection is occurring in real-time, and not being detected by an On-Demand Scan.  If being detected in real-time, the On-Access Scanner log will tell us the source process.  From there, we can look at items such as dll's injected within that process, to see if perhaps there is something using the process to continually generate the files that are being detected.

Luckily, our support Malware specialists can ddefinitely help with this, and we would recommend opening a support case for live assistance for any Malware-related issues.  Perhaps the first action to entertain, is submitting the samples to McAfee Labs, so that we can validate whether or not the detection is legitimate, and in doing so it helps our support determine the next course of action.

Here is the KB for sample submission, just in the event it is needed:
https://kc.mcafee.com/corporate/index?page=content&id=KB68030

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

Highlighted

Re: SlimCleanerPlus.exe & DriverUpdate-Downloader[1].exe

Jump to solution

The threat is being detected by our On-Access scan and not On-Demand.  I checked the On-Access scan log file and below is the two lines referring to those files.

2019-01-17    08:54:08    Deleted     domain\user    C:\Users\username\AppData\Local\Microsoft\Windows\INetCache\IE\WUSWM27U\MapsGalaxy.1aca02b18f6d4919ac00692e8e2f952d.exe    C:\Users\lemires\AppData\Local\Microsoft\Windows\INetCache\IE\3G3OIAQ4\DriverUpdate-Downloader[1].exe    Generic.dul (Trojan Horse)    27a37fcde7209b8c7e9e09d1b154fa1f (MD5)


2019-01-17    08:54:08   Deleted     domain\user    C:\Users\username\AppData\Local\Microsoft\Windows\INetCache\IE\WUSWM27U\MapsGalaxy.1aca02b18f6d4919ac00692e8e2f952d.exe    C:\Users\lemires\AppData\Local\Temp\nsl9FB4.tmp\SlimCleanerPlus.exe    Generic.dul (Trojan Horse)    27a37fcde7209b8c7e9e09d1b154fa1f (MD5)

The files DriverUpdate-Downloader[1].exe & SlimCleanerPlus.exe are deleted by VirusScan so how can I submit a sample?  Or do I submit the source file? MapsGalaxy.1aca02b18f6d4919ac00692e8e2f952d.exe 

Thank you,

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: SlimCleanerPlus.exe & DriverUpdate-Downloader[1].exe

Jump to solution

Sample submission can be done using the quarantined items under C:\Quarantine.

The recommendation would be to submit what is being detected for the initial submission, so that we can verify whether or not the detection is legitimate.  Once those results are provided, we will know how to further the investigation.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community