Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection or false positive?


  • This topic is locked This topic is locked
15 replies to this topic

#1 ZhiZed

ZhiZed

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 10 July 2017 - 04:03 AM

Hi guys,

 

I've been getting the threat message from Avast for the last couple of days, you can see the screenshot on this link.

https://drive.google.com/file/d/0B83BzRiN2JWrNW1KMDVRQ1ZQb28/view?usp=sharing

 

Until recently, I've been using BitDefender that came with the pc, but the licence has expired recently, so I installed Avast.

Since it's business edition (or something), I couldn't remove or disable BitDefender, it requires a password that I don't have.

 

I use the pc mainly for work, and I usually don't visit any risky sites.

 

I've also cleaned the temp files, went through safe mode and everything, nothing shows up...

 

Could this be just a false positive, a clash between AV's or is it a real infection?

 

Thanks in advance,

 

Z

 



BC AdBot (Login to Remove)

 


#2 JacobIdris

JacobIdris

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 PM

Posted 10 July 2017 - 08:53 AM

I could have answered but I don't know the language, the message is displayed in. 



#3 ZhiZed

ZhiZed
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 10 July 2017 - 09:02 AM

Right, sorry :)

It says:

 

Threat blocked

 

Object, Infection, Process - these should be clear

 

The threat was detected and blocked just before creating or modifying the file.

 

Add file to the list of scan exceptions

 

Start SmartScan

 

This analisys searches for problems on you entire PC.



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:59 PM

Posted 10 July 2017 - 10:58 AM

[quote]Win32:Evo-gen [Susp] is a is a broad classification used by the Avast Behavior Monitor feature for software that exhibits suspicious behavior categorized as potentially malicious.
The Behavior Monitoring feature observes the behavior of processes as they run programs. If it observes a process behaving in a potentially malicious way, it reports the program the process is running as potentially malicious.
[quote]
[/quote]

>>>>>
DISABLE AND ENABLE BITDEFENDER
 
1.       Move mouse arrow to the Bitdefender icon in the bottom right of the desktop. (The little pictures in the lower right corner. When the arrow is placed on the little picture, a caption appears that tells what it is.)
2.       Double click the icon for BD.
3.       When the BD window appears, move mouse arrow to the left side and click �Virus Shield�.
4.       Move mouse arrow to the black check by �Virus Shield is enabled� and click.
5.       The black works will change to red, �Virus Shield is disabled�.
6.       Move mouse arrow to the top right corner and click the down arrows.
7.       BD is now inactive.
8.       To enable BD, do the same steps except click to enable.
9.       REMEMBER TO ALWAYS ENABLE (BD) AFTER RUNNING AD-AWARE AND SPYBOT AND BEFORE RUNNING (BD).

>>>>
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
Now RKill and MBAM

Please download Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista/Windows7, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.
51a46ae42d560-malwarebytes_anti_malware.Malwarebytes Anti-Malware
  • Download MalwareBytes Anti-Malware to your desktop.
  • Double-click mbam-setup-2.0.exe to start the installation of Malwarebytes Anti-Malware.
  • Follow the instructions on your screen to complete the installation. You can find the complete installation procedure here.
  • Click the Scan Now button, a threat scan will start automatically.
  • MalwareBytes Anti-Malware will now check for the latest updates. Click Update Now if new updates are available.
  • Your computer is now being scanned, please do not use your computer during the scan.
    • If no threats were found, click View detailed log.
      • Click Export and save the log as a .txt file on your Desktop or another location.
    • If the scan detected any threats, click Apply Actions.
      • To complete any actions taken you will be prompted to restart your computer...click on Yes.
      • After reboot, start Malwarebytes Anti-Malware again and click the History Tab at the top and select Application Logs.
      • Check the box next to Scan Log. Choose the most current scan and click View.
      • Click Export and save the log as a .txt file on your Desktop or another location.
  • Providing the MalwareBytes' Anti-Malware log file
    • Attach the log file you just saved to your next reply for further review.

Edited by boopme, 10 July 2017 - 11:00 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ZhiZed

ZhiZed
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 11 July 2017 - 03:45 AM

Actually, that's the problem, I can't disable BitDefender... I tried to do it before, but these are the only options I'm offered, and I can't disable anything.

https://drive.google.com/file/d/0B83BzRiN2JWrclNMZWhyTkFYczA/view?usp=sharing 

 

I ran the scans anyway, here are the results:

 

TDSSKiller didn't find anything

 

Rkill

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 07/11/2017 10:17:44 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
 * Windows Firewall Disabled
 
   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
 * TBS [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 07/11/2017 10:18:10 AM
Execution time: 0 hours(s), 0 minute(s), and 25 seconds(s)
 
MBAM
 
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 7/11/17
Scan Time: 10:20 AM
Log File: 
Administrator: Yes
 
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.141
Update Package Version: 1.0.2339
License: Free
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: PORT-FANX70442\ZDENKA
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 369649
Threats Detected: 6
Threats Quarantined: 6
Time Elapsed: 4 min, 11 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 1
PUP.Optional.DriverAgentPlus, C:\USERS\ZDENKA\APPDATA\ROAMING\DriverAgentPlus, Quarantined, [2430], [182329],1.0.2339
 
File: 5
PUP.Optional.DriverAgentPlus, C:\Users\ZDENKA\AppData\Roaming\DriverAgentPlus\DriverAgentPlus.downloads, Quarantined, [2430], [182329],1.0.2339
PUP.Optional.DriverAgentPlus, C:\Users\ZDENKA\AppData\Roaming\DriverAgentPlus\DriverAgentPlus.history, Quarantined, [2430], [182329],1.0.2339
PUP.Optional.DriverAgentPlus, C:\Users\ZDENKA\AppData\Roaming\DriverAgentPlus\DriverAgentPlus.settings, Quarantined, [2430], [182329],1.0.2339
PUP.Optional.DriverAgentPlus, C:\Users\ZDENKA\AppData\Roaming\DriverAgentPlus\scandata.bin, Quarantined, [2430], [182329],1.0.2339
PUP.Optional.DriverAgentPlus, C:\Users\ZDENKA\AppData\Roaming\DriverAgentPlus\sysinfo.bin, Quarantined, [2430], [182329],1.0.2339
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:59 PM

Posted 11 July 2017 - 11:57 AM

OK, one more try run RKill again it looks like it stops Bitdefender. Now try uninstall.
If no joy we will repost and remove it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 ZhiZed

ZhiZed
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 12 July 2017 - 03:24 AM

So here's the new RKill log:

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 07/12/2017 10:12:12 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
 * Windows Firewall Disabled
 
   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
 * TBS [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 07/12/2017 10:16:38 AM
Execution time: 0 hours(s), 4 minute(s), and 26 seconds(s)
 
 
Good news is that I didn't get any new threats since the last scan yesterday, but I still can't remove BD.
Program folder doesn't have an uninstall file (or I can't find one), and going through Control Panel says that I should "wait until the installation or modification of the program completes"
 
 


#8 ZhiZed

ZhiZed
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 12 July 2017 - 04:24 AM

UPDATE

 

This popped up eventually

https://drive.google.com/file/d/0B83BzRiN2JWrcmkxeTBoeGNmR3M/view?usp=sharing

 

I've seen this when I tried uninstalling it before, and since I don't have the password, this is where I stopped.



#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:59 PM

Posted 12 July 2017 - 01:48 PM

Let me ask my colleagues.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 buddy215

buddy215

  • Moderator
  • 13,256 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:59 AM

Posted 13 July 2017 - 07:10 AM

I take it you purchased a used computer....is that correct? If so, you can possibly get the password from the business you purchased it from.

 

Other than that...a clean uninstall and reinstall of Windows will be necessary to uninstall Bit Defender.

 

There is a slight chance you may be able to convince Bit Defender that you legally own the computer and they will instruct you on how to

remove Bit Defender without the password installed by the last owner.

 

FROM THE WEB:

If you have lost/forgotten your password for the GUI settings you will have to contact Bitdefender Support via email etc find out how to reset it.

Phone: http://www.bitdefender.com/support/consumer-phone.html

Chat: http://www.bitdefender.com/support/chat-support.html

Email: http://www.bitdefender.com/support/contact-us.html

 


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 ZhiZed

ZhiZed
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 13 July 2017 - 07:51 AM

Actually, I got the PC from the company I work for, with a bunch of pre-installed stuff I use regularly, so I'd prefer not to kill Windows just yet...

I'll try to get the password from our tech support company or BitDefender, so we'll see.

 

Thanks for the tip :)



#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:59 PM

Posted 13 July 2017 - 09:51 AM

Got a suggestion for this
https://www.bleepingcomputer.com/download/bitdefender-uninstall-tool/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 ZhiZed

ZhiZed
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 13 July 2017 - 02:13 PM

 

Still needs a password, but thanks for the suggestion



#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:59 PM

Posted 13 July 2017 - 03:53 PM

Before you reformat make a new topic here and see if they can get it out.. Start at step 6.

Please follow this Preparation Guide&#160;and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 ZhiZed

ZhiZed
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 19 July 2017 - 01:50 PM

Hey, just letting you know that I got help at the other topic, it's solved  :)

 

Thanks for all the help!


Edited by ZhiZed, 19 July 2017 - 01:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users