Full system custom Scan found this

Options

So I recently bought bitdefender total, after doing a custom scan that targeted all the drives on my laptop. Bitdefender detected this "Generic.Application.HackTool.KMS.A.DD98CF7E", the file was located in "C:\Windows\Setup\SCRIPTS\HWID_Activation_AIO.cmd". After the scan was completed I clicked on "take appropriate action" and bitdefender deleted the file. It then declared my laptop safe. Out of curiosity, I visited the file and found 2 other.cmds named: KMS_VL_ALL_AIO.cmd and SetupComplete.cmd. I put both into virustotal and the KMS one came back with 10 hits from various AVs. The setupcomplete one came back clean. Also i didn't click and run them at all other than drag and drop them on virustotal.

heres the VT link for the KMS cmd and setupcomplete.

https://www.virustotal.com/gui/file/e4834aaf04092bbd62048c9182a9d92fd527f900c72666d1e9f2dabbc6dddd03

https://www.virustotal.com/gui/file/e6350ebb89ad2455c29cd16ca529cf8f2b8ca40ec7598fab5abc27ac472fef52

I did some research and the internet says it a malicious trojan that acts as back door for more malicious things (I'm no expert so correct me if im wrong). Normally when the results from virus total contain a few hits from lesser known AVs im not so worried but in this case Kaspersky and ESET-NOD32 flagged it as malicious. That got me worried, why hasn't bitdefender detected it. I have a legit copy of windows and that goes for all programs on my laptop. I have no memory of visiting any dodgy websites or downloading anything dodgy. This has got me worried, is it a false positive or should I take other measures? Anyhelp is greatly appreciated.

Answers

  • Gjoksi
    Gjoksi DEFENDER OF THE YEAR 2022 / DEFENDER OF THE MONTH ✭✭✭✭✭
    edited June 28
    Options

    Hello.

    Scan (and disinfect, if needed) your PC with Bitdefender Rescue Environment:
    https://www.bitdefender.com/consumer/support/answer/29132/

    Also, only the anti-malware researchers at Bitdefender Labs can help you with the issue.
    You should report the file(s) as false positive to Bitdefender Labs here:
    https://www.bitdefender.com/consumer/support/answer/29358/
    You could also share the VirusTotal link of the file(s) to the anti-malware researchers.
    Regards.

  • Ill give the rescue environment a shot. Will get back to you if anything comes up.

    Regarding the false posititives. Are you referring to all 3.cmd files at the location? I just discovered that bitdefender did not delete the detection but quarentined it. So should I report all 3 as false positives by submission? or one or two of them as false positives?

  • Gjoksi
    Gjoksi DEFENDER OF THE YEAR 2022 / DEFENDER OF THE MONTH ✭✭✭✭✭
    Options

    Hello again.

    You should restore the files from Bitdefender Quarantine, by following these steps:

    https://www.bitdefender.com/consumer/support/answer/2092/

    Do not forget to toggle "Create exception for the restored files" to the ON position if it’s off.

    For best results on the issue, you should submit the ALL 3 (three) files to the anti-malware researchers.

    Best regards.

  • Got it, ill restore the files but can I get the reasoning. The virus total scan of the setupcomplete cmd did say that all 3 cmd are used for legitamate purposes? While i understood most of the note I would like to here your opinion as to why its a false positive?

  • Flexx
    Flexx DEFENDER OF THE YEAR 2023 / DEFENDER OF THE MONTH ✭✭✭✭✭ mod
    edited June 28
    Options

    To add here, the files uploaded on VirusTotal are not false positives but indeed KMS activators. A 'KMS Hacktool' is software used to activate Microsoft products illegally, bypassing normal licensing. It's typically used to activate Microsoft Windows or Microsoft Office without purchasing legitimate licenses, which violates Microsoft's terms and can pose security risks to your computer. Both VirusTotal links have been submitted to Bitdefender malware researchers, and detection will be created within a maximum of 72 hours. Thank you for sharing the VirusTotal links.

    Regards.

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • The rescue environment scan came back clean. I've already submitted the files to bitdefender labs for analysis. Someone from support is in contact with me, I've submitted logs already and I'm waiting for their analysis. If you guys have any other tips to give im all ears. Regardless, thanks for all the help, I hope bitdefender can hold down my laptop until I get definite answers from support.

  • Flexx
    Flexx DEFENDER OF THE YEAR 2023 / DEFENDER OF THE MONTH ✭✭✭✭✭ mod
    edited June 29
    Options

    KMS activators are not malicious, and submitting logs was not necessary. Maybe the support team is not as aware of KMS activators as malware researchers would be.

    If you need additional help in removing these types of files, you can download the ESET Online Scanner, which is a portable scanner rather than installation-based software. Select "Detection of PUP/PUA" if the box is unchecked and run a scan. Initially, it will download malware detection database updates, and afterwards, it will run a scan. Run a full system scan. ESET is the best at detecting KMS activators. You can download the ESET Online Scanner from the link below.

    https://www.eset.com/in/home/online-scanner/

    Also, to add here, since ESET is also an anti-malware software, chances are that it may detect additional malware on your system, different from the KMS activator, that may have gone undetected by Bitdefender.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)