Author Topic: Sandbox warning: RarExtLoader.exe  (Read 12407 times)

0 Members and 1 Guest are viewing this topic.

Offline Hubbaman

  • Jr. Member
  • **
  • Posts: 47
Sandbox warning: RarExtLoader.exe
« on: June 08, 2011, 11:38:54 PM »
Hi,
This just happened on my computer running Windows 7 and Avast! Free Antivirus 6.0.11.25.
When I right click a file in Windows Explorer, I get a warning from Avast sandbox before the shell menu opens.

C:\Program Files (x86)\WinRAR 3.61 Multi\RarExtLoader.exe
Opened by: C:\Windows\System32\KernelBase.dll

I just respond "do not open" and the Windows shell menu comes up as normal.

I have never experienced this before today. Am I the only one?

Now, I don't recall having installed WinRAR on this computer. The program folder under Program Files (x86) has created date June 2, 2011. I don't think I have been visiting any dodgy sites either or had any funny e-mails, either. And Avast hasn't said anything. I have Windows 7, Avast 6 and WinRAR on another computer, this doesn't happen there.

All help appreciated!

Offline Nesivos

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1352
  • Artists Rendering of New Pauley Pavilion @ UCLA
Re: Sandbox warning: RarExtLoader.exe
« Reply #1 on: June 08, 2011, 11:56:30 PM »
Did you upload RarExtLoader.exe to Virustotal.com to check it?

http://www.virustotal.com/index.html

Upload the file and see if it comes up clean.
OS: W7-SP1, Security: AIS 7, SAS Pro, WinPatrol Plus Network:2 Dell 570MT x64 1 Dell 660 Desktop with 8GB RAM Default Browser & Email: Firefox & Thunderbird latest Betas

Offline Hubbaman

  • Jr. Member
  • **
  • Posts: 47
Re: Sandbox warning: RarExtLoader.exe
« Reply #2 on: June 09, 2011, 12:28:27 AM »
On Virustotal it gets 0/42 and no antivirus hits.

Please note: I made a mistake in my first post, the folder C:\Program Files (x86)\WinRAR 3.61 Multi\ was created June 2, 2010 (not 2011). I bought the computer in January 2011. I still don't know what it is, though. Could WinRAR 3.61 Multi come as part of the setup from the vendor? This is an MSI laptop.

Edit: corrected dates
« Last Edit: June 09, 2011, 12:46:02 AM by Hubbaman »

Offline ArnD

  • Newbie
  • *
  • Posts: 3
Re: Sandbox warning: RarExtLoader.exe
« Reply #3 on: June 09, 2011, 12:41:24 AM »
Hello

I've also encountered the same problem for the past 2 days. Still dunno if I'm infected by something or if it's Avast Sandbox which gets crazy. I've used WinRar for a couple of years on this machine and never had a problem. Now Sandbox keeps popping up everytime I cut/copy/paste files in Windows explorer and also when I hit the right button on a file (guess it's due to winrar special menu that is included in the right button options).
Could some one check if the last update for Avast didn't mess something up???
It's pretty annoying...

Thk
ArnD

Offline Nesivos

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1352
  • Artists Rendering of New Pauley Pavilion @ UCLA
Re: Sandbox warning: RarExtLoader.exe
« Reply #4 on: June 09, 2011, 12:42:55 AM »
You said that the path is
Quote
C:\Program Files (x86)\WinRAR 3.61 Multi

Help me out here.

Isn't WinRaR currently at version 4.x?

What is your version of WinRaR?

Thanks


OS: W7-SP1, Security: AIS 7, SAS Pro, WinPatrol Plus Network:2 Dell 570MT x64 1 Dell 660 Desktop with 8GB RAM Default Browser & Email: Firefox & Thunderbird latest Betas

Offline Nesivos

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1352
  • Artists Rendering of New Pauley Pavilion @ UCLA
Re: Sandbox warning: RarExtLoader.exe
« Reply #5 on: June 09, 2011, 12:44:11 AM »
Hello

I've also encountered the same problem for the past 2 days. Still dunno if I'm infected by something or if it's Avast Sandbox which gets crazy. I've used WinRar for a couple of years on this machine and never had a problem. Now Sandbox keeps popping up everytime I cut/copy/paste files in Windows explorer and also when I hit the right button on a file (guess it's due to winrar special menu that is included in the right button options).
Could some one check if the last update for Avast didn't mess something up???
It's pretty annoying...

Thk
ArnD

What version of WinRaR are you using?

OS: W7-SP1, Security: AIS 7, SAS Pro, WinPatrol Plus Network:2 Dell 570MT x64 1 Dell 660 Desktop with 8GB RAM Default Browser & Email: Firefox & Thunderbird latest Betas

Offline ArnD

  • Newbie
  • *
  • Posts: 3
Re: Sandbox warning: RarExtLoader.exe
« Reply #6 on: June 09, 2011, 12:47:41 AM »
As far as I'm concerned my WinRar is 3.70
I've read people discussing this matter on various forums
GERMAN: http://board.raidrush.ws/showthread.php?t=787610
ENGLISH: http://answers.yahoo.com/question/index?qid=20110606215809AAZqLOA
http://answers.yahoo.com/question/index?qid=20110606205213AAODIio
http://www.forumopolis.com/showthread.php?p=3765429
SPANISH: http://www.forospyware.com/t383646.html
etc...

No one seems to have found a correct answer yet  ??? :-\

Offline Hubbaman

  • Jr. Member
  • **
  • Posts: 47
Re: Sandbox warning: RarExtLoader.exe
« Reply #7 on: June 09, 2011, 12:56:12 AM »
You said that the path is
Quote
C:\Program Files (x86)\WinRAR 3.61 Multi

Help me out here.

Isn't WinRaR currently at version 4.x?

What is your version of WinRaR?

Thanks

Yes, that is the correct path. Like I said, I haven't installed WinRAR on this computer. (I only have a license for one computer, and on that computer I am running WinRAR x64 3.93.) You are correct, I see on their web site that version 4 is out.

When I look at the history in Add/Remove programs, I see the entry WinRAR archiver as installed February 5, 2011. Many programs were installed that day, I may have done a reinstall. Don't remember. Could it be installed together with something else, or perhaps be a part of the original vendor setup?

Offline Hubbaman

  • Jr. Member
  • **
  • Posts: 47
Re: Sandbox warning: RarExtLoader.exe
« Reply #8 on: June 09, 2011, 12:57:56 AM »
I've also encountered the same problem for the past 2 days.

I hadn't used the computer in question for a few days, so it's quite possible that our problems originate around the same time.

Offline babyface

  • Newbie
  • *
  • Posts: 1
Re: Sandbox warning: RarExtLoader.exe
« Reply #9 on: June 09, 2011, 09:00:34 AM »
I'm having the same problem too. I was right clicking a Word document and suddenly Avast tells me some rarextloader.exe is trying to run. So I decided to try uninstalling WinRar and reinstalling a newer version. It worked but then when I tried moving files to different folders Avast told me TeraCopy was trying to run, which is fine except that I already included it in my exclusion list. I don't know if I have a virus or not and it's driving me nuts !!

Offline free_kscorpio

  • Newbie
  • *
  • Posts: 6
Re: Sandbox warning: RarExtLoader.exe
« Reply #10 on: June 09, 2011, 10:09:59 AM »
Hi guys,

Looks like I had the same problem too. I also read a lot of topics on the Internet regarding this issue. I personally had a RarExt64.dll sandbox alert everytime I tried opening Microsoft Word. Unfortunately no antivirus was able to detect it, but I think it's not a safe file. I'm saying this because I decided to unistall WinRAR and only the .dll and a registry key remained in my WinRAR folder. When I tried deleting them under Windows I had a problem with the .dll file (although I had taken ownership of it along with the WinRAR folder). I was successful in removing it running the Safe Mode. After restarting my computer the sandbox alerts disappeared. However I am not sure that the intruder is gone for good as no antivirus can detect it and maybe it has found a way to hide itself and continue to run undetected. Before deleting the files I tried looking for suspicious processes, but my search came up empty. From what I have gathered from the internet, the RarExtLoader.exe generates similar problems. Another concern of mine is the way in which these files were able to get in my WinRAR folder as I haven't downloaded or installed anything recently. Hope this helps and hope this problem will soon be solved.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 84901
  • No support PMs thanks
Re: Sandbox warning: RarExtLoader.exe
« Reply #11 on: June 09, 2011, 10:58:26 AM »
The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn't had a definitive detection. Which is also why you didn't find any hits on VirusTotal.

However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.

Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean.

Edit attached missing image.
« Last Edit: June 09, 2011, 04:07:32 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Hubbaman

  • Jr. Member
  • **
  • Posts: 47
Re: Sandbox warning: RarExtLoader.exe
« Reply #12 on: June 09, 2011, 01:04:08 PM »
Thank you for your explanation and advice, DavidR.

What made me (and probably others) worry in the first place, is that this behaviour suddenly starts now, after no obvious system changes. Could it be because of updated Avast definitions? After some Windows update? One would assume the autosandbox would have been triggered by this the first time the autosandbox ran on the system.

I think I'll wait just a little while and see if anything else comes up here, and if it doesn't, I'll probably tell autosandbox to ignore it.

By the way: I know, speaking for myself, that when a problem occurs, it makes me question a lot of things. (In my case, why is this WinRAR 3.61 Multi even installed on my system? I can't remember installing it.) Perhaps these additional questions just cause confusion? If so, I'm sorry, but I'm hoping that someone will have an explanation, and also that it will help clearing up the matter.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11796
    • AVAST Software
Re: Sandbox warning: RarExtLoader.exe
« Reply #13 on: June 09, 2011, 01:51:05 PM »
Please upload the file RarExtLoader.exe (preferably packed into a uniquely named archive) to ftp://ftp.avast.com/incoming

Offline Hubbaman

  • Jr. Member
  • **
  • Posts: 47
Re: Sandbox warning: RarExtLoader.exe
« Reply #14 on: June 09, 2011, 02:43:37 PM »
Please upload the file RarExtLoader.exe (preferably packed into a uniquely named archive) to ftp://ftp.avast.com/incoming


I don't have it available at the moment, as I'm not at the computer in question. Anyone else?