Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't remove Eicar test file


  • Please log in to reply
13 replies to this topic

#1 dcuyx

dcuyx

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 08 July 2013 - 10:32 AM

Hi,

Lately my PC is very slow and freezes all the time.

I have bitdefender essential installed and it keeps on finding the Eicar test file.

After quarantine it just keeps on finding infected files but it can't seem to stop it..

Can anyone please help me out on this one because it's driving me insane...

This is what the Bitdender log looks like today:

 

C:\Windows\Temp\tmp00004efb\tmp00004941

EICAR-Test-File (not a virus)

Verplaatst naar Quarantaine

C:\Windows\Temp\tmp00004efb\tmp00004943

EICAR-Test-File (not a virus)

Verplaatst naar Quarantaine

C:\Windows\Temp\tmp00004efb\tmp00004945

EICAR-Test-File (not a virus)

Verplaatst naar Quarantaine

C:\Windows\Temp\tmp00004c03\tmp00000001

EICAR-Test-File (not a virus)

Verplaatst naar Quarantaine

C:\Windows\Temp\tmp000028c1\tmp00000ae6

EICAR-Test-File (not a virus)

Verplaatst naar Quarantaine

C:\Windows\Temp\tmp000028c1\tmp00000ae7

EICAR-Test-File (not a virus)

Verplaatst naar Quarantaine

C:\Windows\Temp\tmp000028c1\tmp00000ae9

EICAR-Test-File (not a virus)

Verplaatst naar Quarantaine

C:\Windows\Temp\tmp00007d5a\tmp0000105c

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp0000105b

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp0000105b

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp0000105f

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp000028c1\tmp00000aeb

EICAR-Test-File (not a virus)

Verplaatst naar Quarantaine

C:\Windows\Temp\tmp00007d5a\tmp00001144

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp00001146

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp00001142

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp00001140

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp0000113e

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp00001138

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp00001137

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp00001136

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp00001133

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp00001147

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp00001143

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp00001145

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp00001141

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp0000113f

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp0000113d

EICAR-Test-File (not a virus)

Geen

C:\Windows\Temp\tmp00007d5a\tmp00001120

EICAR-Test-File (not a virus)

Geen

 

Thanks!


Edited by hamluis, 18 September 2016 - 03:16 PM.
Moved from Win 7 to AV/AM Software - Hamluis.


BC AdBot (Login to Remove)

 


#2 sikntired

sikntired

  • Members
  • 1,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 08 July 2013 - 11:30 AM

Hi dcuyx

 

Did you download this utility to test your antivirus program? Do you have the option to delete quarantined items.?

 

This is a free utility you can try: http://www.pandasecurity.com/homeusers/solutions/activescan/

 

Click on 'delete' for whatever finds.

 

Alternatively, you may have to go to the vendor site for support.



#3 dcuyx

dcuyx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 08 July 2013 - 11:56 AM

Hi,thanks for the reply!

No I never downloaded it... it just showed up...?

I also ran microsoft security Essentials, Spyware detector and Spy emergency but it can't fix the problem...

I'll try the panda utility.

 

Thanks



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:27 PM

Posted 08 July 2013 - 12:04 PM

Might I suggest you try and run this to see if it will help as the files are located in your temp folder: http://www.bleepingcomputer.com/download/tfc/

If you don't want to run this, then I suggest you manually delete any folders inside C:\Windows\Temp\ (not the folder temp itself though).

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 dcuyx

dcuyx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 08 July 2013 - 01:47 PM

Hi,

Tried Panda and emptied temp file using the TFC tool...then started up again and new infected temp files showed up in the Bitdefender log... also Microsoft security Essentials popped up a detection screen... pfff



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:27 PM

Posted 08 July 2013 - 02:15 PM

Hmm, well they are not really malware though, since the file is used to test whether your anti-virus is working. Why they keep reappearing is beyond me since there would be no reason for it to? This is what the EICAR-test is: http://www.eicar.org/86-0-Intended-use.html

Perhaps it would be better for you to post in Am I Infected? if nobody has any other ideas as one of their tools may be able to remove it.

 

Also since you mentioned Bitdefender and MSE, you shouldn't run more than one antivirus program, this can cause false positives and possible file corruption. Please read the IMPORTANT NOTE in Choosing an Anti-Virus Program if you want to know more about why you shouldn't run two anti-viruses.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 sikntired

sikntired

  • Members
  • 1,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 08 July 2013 - 02:27 PM

Is Bitdefender a paid program? As suggested by xXToffeeXx uninstall one of them. When downloading programs you have to be careful as some will come

 

bundled with potentially unwanted programs (PUP).

 

Try this:

  1. First, navigate to your virus software control panel.
  2. Find (usually under the Anti-virus tab) your quarantine.
  3. Open up that.
  4. Find somewhere where it says “Add to Quarantine”, a plus sign, or some button that will allow you to add files to the quarantine.
  5. Navigate to the EICAR test virus in the pop-up file browser that appears.
  6. Now the virus is in the quarantine (right)? Hopefully its moved to the quarantine and not just copied.
  7. Now find that file in your quarantine window.
  8. Select the file.
  9. Delete that now-in-quarantine file with a “Delete File from Quarantine” or minus sign button.

Reboot and see if it is gone.


Edited by sikntired, 08 July 2013 - 02:44 PM.


#8 EwenB

EwenB

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 08 July 2013 - 07:41 PM

Where did you save the test file to, you must have physically done this at some time because it cannot appear by itself.  Search for it and manually delete it.  I used that file many times in the past and I saved it to my desktop... when I had finished my tests I simply deleted it.



#9 dcuyx

dcuyx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 09 July 2013 - 12:07 AM

Well, desperate now... tried all of the above and these are the results after starting up again...:

file:C:\Windows\Temp\tmp00002956\tmp00000001

file:C:\Windows\Temp\tmp00002a1d\tmp000045a4

file:C:\Windows\Temp\tmp00002a1d\tmp000045a5

file:C:\Windows\Temp\tmp00002a1d\tmp000045a6

file:C:\Windows\Temp\tmp00002a1d\tmp000045a7

file:C:\Windows\Temp\tmp00002a1d\tmp000045a8

file:C:\Windows\Temp\tmp00002a1d\tmp000045a9

file:C:\Windows\Temp\tmp00002a1d\tmp000045aa

file:C:\Windows\Temp\tmp00002a1d\tmp000045ab

file:C:\Windows\Temp\tmp00002a1d\tmp000045ac

file:C:\Windows\Temp\tmp00002a1d\tmp000045ad

file:C:\Windows\Temp\tmp00002a1d\tmp000045ae

file:C:\Windows\Temp\tmp00002a1d\tmp000045af

file:C:\Windows\Temp\tmp00002a1d\tmp000045b0

file:C:\Windows\Temp\tmp00002a1d\tmp000045b1

file:C:\Windows\Temp\tmp00002a1d\tmp000045b2

file:C:\Windows\Temp\tmp00002a1d\tmp000045b7

file:C:\Windows\Temp\tmp000050bc\tmp00002001.86921.gzquar

file:C:\Windows\Temp\tmp0000640a\tmp00000001

file:C:\Windows\Temp\tmp00007bc2\tmp00002efd

file:C:\Windows\Temp\tmp00007bc2\tmp00002f04

file:C:\Windows\Temp\tmp00007bc2\tmp00002f05

file:C:\Windows\Temp\tmp00007bc2\tmp00002f06

file:C:\Windows\Temp\tmp00007bc2\tmp00002f07

file:C:\Windows\Temp\tmp00007bc2\tmp00002f08

file:C:\Windows\Temp\tmp00007bc2\tmp00002f09

file:C:\Windows\Temp\tmp00007bc2\tmp00002f0a

file:C:\Windows\Temp\tmp00007bc2\tmp00002f0b

file:C:\Windows\Temp\tmp00007bc2\tmp00002f0c

file:C:\Windows\Temp\tmp00007bc2\tmp00002f0d

file:C:\Windows\Temp\tmp00007bc2\tmp00002f0e

file:C:\Windows\Temp\tmp00007bc2\tmp00002f0f

file:C:\Windows\Temp\tmp00007bc2\tmp00002f10

file:C:\Windows\Temp\tmp00007bc2\tmp00002f11

file:C:\Windows\Temp\tmp00007bc2\tmp00002f12

 

I'll delete them again and I'll disable MSE.  Hopefully it'll help...

Yes, the Bitdefender is a paid version

No, I never saved it anywhere physically... it really just showed up...

Isn't there a chance that it's not the actual Eicar test file but a real virus that carries the same name to cause confusion...? 



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:27 PM

Posted 09 July 2013 - 01:26 AM

Well, it's unlikely since the names are chosen by anti-virus you use, but I guess it could happen if it mistook a virus as this EICAR file. If you do want to check for viruses then Am I Infected? is where you want.
It would be better if you uninstalled MSE since even disabled it can cause problems with BitDefender.

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 dcuyx

dcuyx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 09 July 2013 - 07:50 AM

Uninstalled MSE and so far I'm 'Eicar-free'... fingers crossed...

Thanks everyone!



#12 sikntired

sikntired

  • Members
  • 1,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 PM

Posted 09 July 2013 - 07:57 AM

If this beast re-emerges I would strongly suggest you post in "Am I Infected". Undoubtedly you downloaded this through some program and you

 

were not aware. The reason for getting the Malware Team involved is due to the fact of using some very powerful tools and it would be wise to

 

do under their guidance.

 

Best of Luck, Regards..................



#13 pegasis

pegasis

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 18 September 2016 - 01:47 PM

I have the same issue, but I don't have MSE loded?

 

any suggestions



#14 hamluis

hamluis

    Moderator


  • Moderator
  • 56,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:27 PM

Posted 18 September 2016 - 03:15 PM

If this beast re-emerges I would strongly suggest you post in "Am I Infected".

 

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users