Trojan detected in favicons.sqlite-shm
A Trojan was detected in favicons.sqlite-shm by BitDefender, the report said it blocked it (see screen-cap). Soon after, I wasn't able to load Firefox, Opera Browser and Thunderbird. Tying to access them would start a popup dialog box stating that"Firefox is already running" and I'd would be asked to either cancel or stop. Pressing either option wouldn't allow access to Firefox etc., I had my computer scanned professionally and was told they didn't think the Trojan was still active and they managed to restore access to Firefox and Thunderbird, this took 2 hours.
I remain unconvinced my computer is free of the Trojan for various issues, including a corrupted winload.efi file (I have already attempted and failed to fix this) that won't allow Windows Defender to scan in Offline mode. Various other issues such a slow applications and occasionally flickering screen suggests the Trojan might still be active.
I'd greatly appreciate if anyone has information or experience dealing with particular issue.
Scans such as, Kaspersky, Malwarebytes, Bitdefender, etc. have been run and found nothing.
All Replies (6)
Favicons are in their own storage file - favicons.sqlite - and there are two temporary files for favicons - favicons.sqlite- wal and favicons.sqlite-shm which are opened and used when Firefox is running. Those two files disappear during the closing procedure of Firefox when data is written to the storage file. Apparently, Bitdefender had a "lock" on the favicons.sqlite-shm file preventing Firefox from closing completely.
sqlite-shm and sqlite-wal are SQLite temp files and are needed to make SQLite work properly and your security software should leave those alone.
- wal: Write-Ahead Logging
- shm: Shared Memory files
I just wanted to thank you both for the feedback. It was far more helpful than the technician I paid who wasn't able to fix this issue. Cheers!
Dropa said
Why are you using Defener and BitDefender? This is also why your having issues as well. More then one A/V is and will cause problems.
I'm not sure how you know this as it's not information I provided...
I'm not using Window's defender by choice. I will disabled it, but it will randomly enable itself and I'm not sure what causes this to happen.
I don't know whether this detection was a false positive, or whether it is possible to attack a user through a site icon (which is what the favicons database stores). Hopefully not a new thing we need to worry about...
Note that not the real file (favicons.sqlite) was reported by the OP, but one of the two sqlite-shm and sqlite-wal (favicons.sqlite-shm).
...The shm does not contain any database content and is not required to recover the database following a crash...