Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TROJAN.FAKEAV


  • Please log in to reply
21 replies to this topic

#1 passacaglia

passacaglia

  • Members
  • 323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vina del Mar, Chile
  • Local time:05:36 AM

Posted 03 April 2017 - 12:54 PM

Every day Hitman Pro detects about 10 of these. However, Malwarebytes Premium and Bitdefender Total Security 2017 do not detect any of these. And they are supposed to be acting on real-time protection. Both run scheduled scans and show no threats. This has been going on during the last week almost every day. Is it possible that Hitman Pro is giving a lot of false positives or am I deeply infected?

Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:36 AM

Posted 03 April 2017 - 01:54 PM

Another member had the same false positive results from Hitman Pro. Those files are actually Bit Defender files.

That member actually posted the list of files...see...HitmanPro_20170402_1726.log

If those are the same or similar to your log files then Hitman Pro needs to be notified by you of their false positives.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 passacaglia

passacaglia
  • Topic Starter

  • Members
  • 323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vina del Mar, Chile
  • Local time:05:36 AM

Posted 03 April 2017 - 02:25 PM

This is what I have received 10 minutes ago. Can you confirm these are also false positives?

 

 Scan date . . . . . . : 2017-04-03 16:00:18
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 52s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 14
   Traces  . . . . . . . : 19
 
   Objects scanned . . . : 1.953.002
   Files scanned . . . . : 26.950
   Remnants scanned  . . : 261.118 files / 1.664.934 keys
 
Malware remnants ____________________________________________________________
 
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\about.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvcl.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deloeminfs.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odsw.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\about.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvcl.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deloeminfs.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odsw.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe\ (Trojan.FakeAV)
 
Cookies _____________________________________________________________________
 
   C:\Users\ERNESTO\AppData\Local\Google\Chrome\User Data\Default\Cookies:addthis.com
   C:\Users\ERNESTO\AppData\Local\Google\Chrome\User Data\Default\Cookies:bidswitch.net
   C:\Users\ERNESTO\AppData\Local\Google\Chrome\User Data\Default\Cookies:googleadservices.com
   C:\Users\ERNESTO\AppData\Local\Google\Chrome\User Data\Default\Cookies:mathtag.com
   C:\Users\ERNESTO\AppData\Local\Google\Chrome\User Data\Default\Cookies:scorecardresearch.com

 



#4 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:36 AM

Posted 03 April 2017 - 02:30 PM

Yes...the same files the other member posted that I linked to. I'll repeat the same as in that link for how to deal with those cookies.

 

The cookies....Third Party cookies...can easily be blocked from installing in your browsers. Once blocked, use CCleaner to remove

the existing ones. How to disable third-party cookies in all major web browsers

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 passacaglia

passacaglia
  • Topic Starter

  • Members
  • 323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vina del Mar, Chile
  • Local time:05:36 AM

Posted 03 April 2017 - 04:44 PM

I blocked third party cookies as instructed in my Chrome browser. Superantispyware also runs scheduled scans and removes a lot of adware cookies.

 

I don't have any cookies now when I ran Hitman Pro, but I still got a lot of Trojan.FakeAV. Are those false positives?



#6 passacaglia

passacaglia
  • Topic Starter

  • Members
  • 323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vina del Mar, Chile
  • Local time:05:36 AM

Posted 03 April 2017 - 04:51 PM

This is what I got now:

 

 Scan date . . . . . . : 2017-04-03 18:45:00

   Scan mode . . . . . . : Normal
   Scan duration . . . . : 46s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : Yes
 
   Threats . . . . . . . : 14
   Traces  . . . . . . . : 14
 
   Objects scanned . . . : 1.951.220
   Files scanned . . . . : 26.707
   Remnants scanned  . . : 259.540 files / 1.664.973 keys
 
Malware remnants ____________________________________________________________
 
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\about.exe\ (Trojan.FakeAV) -> PendingDelete
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvcl.exe\ (Trojan.FakeAV) -> PendingDelete
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe\ (Trojan.FakeAV) -> PendingDelete
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deloeminfs.exe\ (Trojan.FakeAV) -> PendingDelete
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\ (Trojan.FakeAV) -> PendingDelete
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odsw.exe\ (Trojan.FakeAV) -> PendingDelete
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe\ (Trojan.FakeAV) -> PendingDelete
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\about.exe\ (Trojan.FakeAV) -> PendingDelete
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvcl.exe\ (Trojan.FakeAV) -> PendingDelete
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe\ (Trojan.FakeAV) -> PendingDelete
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deloeminfs.exe\ (Trojan.FakeAV) -> PendingDelete
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\ (Trojan.FakeAV) -> PendingDelete
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odsw.exe\ (Trojan.FakeAV) -> PendingDelete
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe\ (Trojan.FakeAV) -> PendingDelete


#7 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:36 AM

Posted 03 April 2017 - 05:48 PM

Yes...they are false posititves. You should report this to Hitman Pro.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#8 passacaglia

passacaglia
  • Topic Starter

  • Members
  • 323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vina del Mar, Chile
  • Local time:05:36 AM

Posted 03 April 2017 - 09:37 PM

Thanks. Will do.



#9 pincuz

pincuz

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 03 April 2017 - 09:50 PM

I experienced the same.

 

Like many of you, I am careful about what I download and install, and I never login as a local administrator. I also scan my system regularly with various security products. Two days ago I noticed that my daily scan with HitmanPro v 3.7.15 revealed an infection with Trojan.FaveAV. Note that full system scans run right after this detection with Zemana, Malwarebytes, EMSisoft, Bitdefender, and Kaspersky didn't discover any threats. This left me perplexed until it dawned on me that HitmanPro started detecting Trojan.FaveAV following Bitdefender installing some component updates and rebooting the system. I examined and launched a few of those "infected" files in a virtual machine, and realized that they were indeed Bitdefender components. For instance, about.exe is actually Bitdefender About Us splash screen info. Today, HitmanPro updated to 3.7.18, and a new scan didn't detect any Trojan.FaveAV. I guess this could be expected behaviors when as many of us do, run multiple security products at the same time, and some of them are bound to clash now and then. This is not the first time something similar has happened.


Edited by pincuz, 03 April 2017 - 09:51 PM.


#10 passacaglia

passacaglia
  • Topic Starter

  • Members
  • 323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vina del Mar, Chile
  • Local time:05:36 AM

Posted 03 April 2017 - 10:00 PM

Trojan.FakeAV was not detected by daily scans of Bitdefender Total Security 2017, Malwarebytes 3.0, Superantispyware, Adlice Rogue Killer, Sophos, Emsisoft, Zemana, Webroot and a free total system scan by Panda (which took about 3 hours). Hitman Pro still detected Trojan.FakeAV after their recent update.



#11 pincuz

pincuz

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 03 April 2017 - 10:07 PM

This is odd. In my case, the detection stopped after the update, and those Bitdefender files that HitmanPro saw as infected before the update are no longer flagged as such. Note that those files are still present -- they weren't deleted by Hitman or by me manually. I probably need to mention that after I updated HitmanPro, I run a scan with it in Safe mode and after that it didn't detect the Trojan.FaveAV present anymore.



#12 passacaglia

passacaglia
  • Topic Starter

  • Members
  • 323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vina del Mar, Chile
  • Local time:05:36 AM

Posted 03 April 2017 - 10:23 PM

Latest log 5 minutes ago:

 

  Computer name . . . . : ERNESTO-PC

   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : ERNESTO-PC\ERNESTO
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Paid (208 days left)
 
   Scan date . . . . . . : 2017-04-04 00:15:45
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 52s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 14
   Traces  . . . . . . . : 14
 
   Objects scanned . . . : 1.951.549
   Files scanned . . . . : 26.820
   Remnants scanned  . . : 260.144 files / 1.664.585 keys
 
Malware remnants ____________________________________________________________
 
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\about.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvcl.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deloeminfs.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odsw.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\about.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvcl.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deloeminfs.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odsw.exe\ (Trojan.FakeAV)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe\ (Trojan.FakeAV)


#13 pincuz

pincuz

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 04 April 2017 - 12:00 AM

Look for and download Trend Micro Fake Antivirus (FakeAV) Removal Tool. Before you run a scan make sure to whitelist the tool in Bitdefender anti ransomeware module.

#14 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:36 AM

Posted 04 April 2017 - 06:08 AM

Submitting HitmanPro False Positives


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#15 passacaglia

passacaglia
  • Topic Starter

  • Members
  • 323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vina del Mar, Chile
  • Local time:05:36 AM

Posted 04 April 2017 - 11:56 AM

Thanks buddy215.

I received a reply from Hitman Pro. I was asked to run the software in "forced breach" mode which terminates all processes that are not critical for Windows to operate. This was done and the trojan keeps showing up.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users