Issue with WinRAR; Online Armor Notifications:

[mchain]

Virus Total scans (3)

https://www.virustotal.com/file/98d476c635777d3c3ddb2620bb6cf2ac6b847297ce6d038601498b4ee3afa632/analysis/1336707008/

https://www.virustotal.com/file/72786c107f1ec0d37b57fc141479be39178977dcc5b0d5517a2016bc54c903cc/analysis/1336707112/

https://www.virustotal.com/file/f368140e6b58026ff314c6448a0584f76801f431b213a1efaff77cafe10d10d8/analysis/1336707203/

Each of the scans above are files within the WinRAR folder that will open when right-clicking a shortcut on the desktop, Online Armor would alert and ask for permission for that file to connect to the internet.  I did not click "remember my answer", and so the file was allowed to temporarily connect.  It is important to note the last two processes (and that is what they are) are childs of the first Rarext.dll, which is the parent process.  The former calls the latter, each in succession, and no alert is seen from Avast!   Installation point of WinRAR is on a backup drive, not the main os drive.

I had some difficulty in uninstalling WinRAR, as the parent process, Rarext.dll, is always running, and got an access denied error when trying to delete the folder directly.  I found an uninstaller file within that folder, ran that, and got the original file and a new one, Rarext.dll.0.tmp.  A restart took care of the .dll.tmp flile, leaving only the original installation file.  As this file was originally downloaded in 2008, it was out of date, and was not one I downloaded either.

Can anyone explain why Avast! did not alert on this somewhat suspicious behavior, especially as the WinRAR program was installed on a separate backup drive, and should not have had the ability to run a process automatically when calling up shortcut options when right-clicking a shortcut link on drive C:/? 

There has been a definite improvement in os responsiveness since Online Armor alerted to this behavior, and COMODO Firewall Free was uninstalled. and I then removed WinRAR.

[igor]

I don't think there's anything suspicious about WinRAR (and no other AVs think so either, as the VT results show). I don't know where it was trying to connect, but especially when you say it was installed since 2008, I don't think it was anything bad.

There is no rarext.dll process - rarext.dll is a shell extension that gets loaded by Explorer.exe when you rightclick a file/folder (most likely to provide you with some "Pack into RAR archive" options). The Explorer doesn't unload that file once it loaded it, so it is locked for you from that point on. If you tried to remove the file right after the OS start, without having rightclicked on anything, I believe the file would be free to go.

[mchain]

Hi igor,

For some time now, (System was configured w/COMODO CIS Firewall Free, latest version 5.10) the system would nearly freeze for about 30-50 seconds as, as you say, Explorer would call up rarext.dll and the two child processes.  Only after some time passed, did the drop-down window open.  At times, it would take two or more right-clicks to operate.

I put this down to the way COMODO would continually check a file against the cloud database; sometimes the return would take a bit of time.

Because of the negative impact on system performance, I, as I explained above, uninstalled WinRAR.  Interesting to note, there was no entry in Add/Remove for this program.  Successful removal also removed the several notations and links for WinRAR in the options drop-down box.  BTW, to check the possibility that WinRAR was loading the rarext.dll at boot, I rebooted, I then chose not to open a shortcut by right-clicking, and instead went directly to the WinRAR folder to delete it, only to find the folder itself could not be deleted, as rarext.dll gave an "access denied" error when this operation was done in the administrator account.  I think this indicates explorer.exe had been running this .dll since startup, and I did not want that.

So I removed it.  Problem solved. 

It would be nice if Avast! could break down running processes from the parent on down, so this aspect could be verified and monitored.  If it had this option, I would have caught this much sooner, not four years later.

Reason I moved to Online Armor was due to the documented bug in COMODO Firewall and Avast!  Otherwise I would not have found this.

EDIT:  Sorry, misunderstood difference between a process and shell extension operand.  Thanks for clarifying that.  Still, the shell extension was loaded at startup, or seemed to be, anyway.