Sandbox warning: RarExtLoader.exe

Hi,
This just happened on my computer running Windows 7 and Avast! Free Antivirus 6.0.11.25.
When I right click a file in Windows Explorer, I get a warning from Avast sandbox before the shell menu opens.

C:\Program Files (x86)\WinRAR 3.61 Multi\RarExtLoader.exe
Opened by: C:\Windows\System32\KernelBase.dll

I just respond “do not open” and the Windows shell menu comes up as normal.

I have never experienced this before today. Am I the only one?

Now, I don’t recall having installed WinRAR on this computer. The program folder under Program Files (x86) has created date June 2, 2011. I don’t think I have been visiting any dodgy sites either or had any funny e-mails, either. And Avast hasn’t said anything. I have Windows 7, Avast 6 and WinRAR on another computer, this doesn’t happen there.

All help appreciated!

Did you upload RarExtLoader.exe to Virustotal.com to check it?

http://www.virustotal.com/index.html

Upload the file and see if it comes up clean.

On Virustotal it gets 0/42 and no antivirus hits.

Please note: I made a mistake in my first post, the folder C:\Program Files (x86)\WinRAR 3.61 Multi\ was created June 2, 2010 (not 2011). I bought the computer in January 2011. I still don’t know what it is, though. Could WinRAR 3.61 Multi come as part of the setup from the vendor? This is an MSI laptop.

Edit: corrected dates

Hello

I’ve also encountered the same problem for the past 2 days. Still dunno if I’m infected by something or if it’s Avast Sandbox which gets crazy. I’ve used WinRar for a couple of years on this machine and never had a problem. Now Sandbox keeps popping up everytime I cut/copy/paste files in Windows explorer and also when I hit the right button on a file (guess it’s due to winrar special menu that is included in the right button options).
Could some one check if the last update for Avast didn’t mess something up???
It’s pretty annoying…

Thk
ArnD

You said that the path is

C:\Program Files (x86)\WinRAR 3.61 Multi

Help me out here.

Isn’t WinRaR currently at version 4.x?

What is your version of WinRaR?

Thanks

What version of WinRaR are you using?

As far as I’m concerned my WinRar is 3.70
I’ve read people discussing this matter on various forums
GERMAN: http://board.raidrush.ws/showthread.php?t=787610
ENGLISH: http://answers.yahoo.com/question/index?qid=20110606215809AAZqLOA
http://answers.yahoo.com/question/index?qid=20110606205213AAODIio
http://www.forumopolis.com/showthread.php?p=3765429
SPANISH: http://www.forospyware.com/t383646.html
etc…

No one seems to have found a correct answer yet ??? :-\

Yes, that is the correct path. Like I said, I haven’t installed WinRAR on this computer. (I only have a license for one computer, and on that computer I am running WinRAR x64 3.93.) You are correct, I see on their web site that version 4 is out.

When I look at the history in Add/Remove programs, I see the entry WinRAR archiver as installed February 5, 2011. Many programs were installed that day, I may have done a reinstall. Don’t remember. Could it be installed together with something else, or perhaps be a part of the original vendor setup?

I hadn’t used the computer in question for a few days, so it’s quite possible that our problems originate around the same time.

I’m having the same problem too. I was right clicking a Word document and suddenly Avast tells me some rarextloader.exe is trying to run. So I decided to try uninstalling WinRar and reinstalling a newer version. It worked but then when I tried moving files to different folders Avast told me TeraCopy was trying to run, which is fine except that I already included it in my exclusion list. I don’t know if I have a virus or not and it’s driving me nuts !!

Hi guys,

Looks like I had the same problem too. I also read a lot of topics on the Internet regarding this issue. I personally had a RarExt64.dll sandbox alert everytime I tried opening Microsoft Word. Unfortunately no antivirus was able to detect it, but I think it’s not a safe file. I’m saying this because I decided to unistall WinRAR and only the .dll and a registry key remained in my WinRAR folder. When I tried deleting them under Windows I had a problem with the .dll file (although I had taken ownership of it along with the WinRAR folder). I was successful in removing it running the Safe Mode. After restarting my computer the sandbox alerts disappeared. However I am not sure that the intruder is gone for good as no antivirus can detect it and maybe it has found a way to hide itself and continue to run undetected. Before deleting the files I tried looking for suspicious processes, but my search came up empty. From what I have gathered from the internet, the RarExtLoader.exe generates similar problems. Another concern of mine is the way in which these files were able to get in my WinRAR folder as I haven’t downloaded or installed anything recently. Hope this helps and hope this problem will soon be solved.

The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn’t had a definitive detection. Which is also why you didn’t find any hits on VirusTotal.

However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.

Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean.

Edit attached missing image.

Thank you for your explanation and advice, DavidR.

What made me (and probably others) worry in the first place, is that this behaviour suddenly starts now, after no obvious system changes. Could it be because of updated Avast definitions? After some Windows update? One would assume the autosandbox would have been triggered by this the first time the autosandbox ran on the system.

I think I’ll wait just a little while and see if anything else comes up here, and if it doesn’t, I’ll probably tell autosandbox to ignore it.

By the way: I know, speaking for myself, that when a problem occurs, it makes me question a lot of things. (In my case, why is this WinRAR 3.61 Multi even installed on my system? I can’t remember installing it.) Perhaps these additional questions just cause confusion? If so, I’m sorry, but I’m hoping that someone will have an explanation, and also that it will help clearing up the matter.

Please upload the file RarExtLoader.exe (preferably packed into a uniquely named archive) to ftp://ftp.avast.com/incoming

I don’t have it available at the moment, as I’m not at the computer in question. Anyone else?

I’m still considering… As it would be really inconvenient for me at the moment to do something drastic like a complete Windows reinstall, what would you consider the safest way to deal with this?

  1. Uninstall WinRAR 3.61 Multi.
  2. Tell autasandbox to always open RarExtLoader.exe in sandbox.
  3. Tell autosandbox to always open RarExtLoader.exe normally.
  4. Tell autosandbox to always block RarExtLoader.exe (provided that doesn’t cause problems elsewhere).

Thanks.

The first thing that I would do when you are at that computer is what Igor (a senior avast developer) suggested, upload the file.

Upload the zip file to the ftp server ftp://ftp.avast.com/incoming:
Give the zip file you are uploading a unique name (e.g. Hubbaman_winrarloader.zip, etc), so they can identify it. It might not be a bad idea to create a text file (readme.txt) with any relevant information, avast topic URL, user name, etc. etc. in the zip file.

  • Using Internet Explorer, Connect to the link and drag the file into the Right pane and drop it, that starts the upload, you don’t have read access to this folder.

Or

Upload it using the Run command-line in Windows: Windows Key + R (to get the run box), copy and paste this

explorer ftp://ftp.avast.com/incoming

and drag the file into the window, from another explorer window.

Uh… I don’t know why but everything works fine right now… The problem is that I haven’t even checked if Avast had updated or something… Just started the machine, read your comments, was about to zip the suspicious file and noticed that I can copy/cut/paste files, click right button without having the sandbox pop up :o

Hi,

In the past few days ERUNT v1.1j became suddenly an “autosandbox candidate”. So I immediately added it to the exclusion’s list.

However, I just discovered that ERUNT is no more an “autosandbox candidate”. I think everything is back to normal thanks to some of the recent virus-def updates (probably this morning updates).

I thought you may want to know it.

Cheers,
T.

Win XP PRO SP3
Avast Free AV 6.0.1125

It is possible that WinRaR 3.6 has a digital signature that has expired given that 4.x is the latest release and that that is causing autosandbox to flag it.