Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Obscure "FakeAti" Trojan shows up in Malwarebytes, doesn't trigger MSE


  • Please log in to reply
5 replies to this topic

#1 spogn

spogn

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 13 February 2014 - 03:54 PM

Hi,

Today I realized that I haven't scanned my computer with Malwarebytes for a while, and did so. When it concluded, it was shown that there was one virus, a Trojan.FakeATI located in C:\Users\[My account]\AppData\Local\ATI Technologies\atiedxx.exe. I pressed "Repair All", but suspecting there were other viruses, I booted up into safe mode and scanned again, which came out clean. Only now am I realizing the flawed logic of that, as when I looked into the log, listed after the logged occurrence of the Trojan is "Delete on reboot.", which I probably prevented.
The trojan was shown in MBAM's "Quarantine" tab, but it was not in the default quarantine folder. I looked in the folder it was reported to be found in, and it was there. It was the only item there, so it looks like it could genuinely be a virus. However, I'd hate to delete some graphics driver or something else.
I've left the computer running in safe mode. If you have any idea about what it is, and what I should do, it would be appreciated.

(P. S. I'm typing this on my phone, and will post the log in a bit.)

BC AdBot (Login to Remove)

 


#2 Roodo

Roodo

  • Members
  • 760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:48 PM

Posted 13 February 2014 - 04:13 PM

Its were its suppose to be as an ati driver. So the question would be, was your system

experiencing any symptoms of a virus infection?



#3 spogn

spogn
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 13 February 2014 - 04:19 PM

No, not that I noticed.



#4 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:48 PM

Posted 13 February 2014 - 04:26 PM

Could be a false positive. Occasionally AV apps will flag a legit file as malicious, based on the programming code. Certain commands that legit files use are also used by viruses, and vice-versa.

 

From file.net:

 

Atieclxx.exe file information

The process known as AMD External Events Client Module belongs to software AMD External Events by AMD (www.amd.com).

Description: atieclxx.exe is located in the folder C:\Windows\System32. Known file sizes on Windows 7/XP are 348,160 bytes (24% of all occurrences), 393,216 bytes and 18 more variants. space.gif 
The program is not visible. It is a Microsoft signed file. The file is not a Windows system file. Therefore the technical security rating is 17% dangerous, however also read the users reviews.

Recommended: Identify atieclxx.exe related errors

Important: Some malware disguises itself as atieclxx.exe, particularly when not located in the C:\Windows\System32 folder. Therefore, you should check the atieclxx.exe process on your PC to see if it is a threat.

 

IMO it sounds like a legit file, but got flagged because it's not in the Sys32 folder, as stated.



#5 Roodo

Roodo

  • Members
  • 760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:48 PM

Posted 13 February 2014 - 04:31 PM

Its probably a false positive. Keep it quarantined just in case, I doubt the video will need that

driver. It will warn you if it does.



#6 spogn

spogn
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 13 February 2014 - 04:39 PM

OK, thanks.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users