Bitdefender Deep Scan Finds Virus

This is my second post about infections tonight. No answer on the first one yet.


Deep Scan found the above infection in C:\Users\Name\AppData\Local\Temp\is-UQB15.tmp\iMonitor.exe" threatType="virus" threatName="DeepScan:Generic.Malware.P!Pk!.DCFD6C1D" action="move to Quarantine" initialStatus="infected" finalStatus="quarantined" error="no error"/


I had no idea what to do with it so I quarantined it. Would someone please help me with these infection issues. PLEASE! :wacko:

Comments

  • Nikilet
    Nikilet ✭✭✭

    I wish someone would respond to my 2 posts tonight about infections. My whole system has gone nuts! IE wouldn't hardly work. If I click on a program shortcut it takes about 3 minutes for it to open. My computer restarted on it's own and since then when I hover my mouse over the BD icon in my task bar it says "BitDefender services are loading now, please wait ..." and that's been about 20 minutes now in that state.

  • Nikilet
    Nikilet ✭✭✭

    After the initial post above, I ran another scan with Malwarebytes. It found the same infection, Security.Hijack in that BitDefender registry key.


    Then I ran aother Deep Scan with BitDefender and it found nothing.


    I am now running a full scan with Spyware Doctor and I got a pop up from BitDefender telling me that access to that Generic.Malware.P!Pk!.DCFD6C1D had been denied because it couldn't be cleaned. I had already quarantined that file earlier.


    In addition, whatever is going on completely erased nearly all my game stats for every game I have. It would sure be nice to get some help with this. I am just about ready to uninstall BDIS 2010.

  • Hello Nikilet,


    Please read this article: http://kb.bitdefender.com/KB490


    Use the tools presented there, upload the 2 logs on www.sendspace.com (or any other file sharing server) and post here the download links.


    You will receive further info after the logs will be analyzed.


    Cris.

  • Nikilet
    Nikilet ✭✭✭

    I guess nothing is going to be simple.


    I tried to run that AVIS thing three times and all three times got a pop up that it had stopped working. I have uploaded a copy of that screen here: http://www.sendspace.com/file/m4j7io


    There was a zip file on my desktop from the above labeled bd_sys_log.xml so I did try to upload this but then got a ****** error. I have uploaded a copy of that here: http://www.sendspace.com/file/anrzi5


    I tried clicking on the Scan button in this AVIS and same thing happened; however before it quit there was an infection listed as follows: C\Program Files\Dell Support\Browser Plugins\LicValidat Fragments: PK.ARMADILLO


    I don't know if this means anything, but the infection that I had reported initially was Generic.Malware.P!Pk!.DCFD6C1D.


    The log from running the gmr is here: http://www.sendspace.com/file/62a6o9


    How long do you think it will be before I hear anything? I need to go to my banking site for a personal message they sent me in answer to a question I had, and I have an order I want to place -- and I'm afraid to do either one until I find out what is going on with this Generic.Malware.P!Pk!.DCFD6C1D and also the Secure.Hijack that is still being picked up by Malwarebytes on a BitDefender registry key.


    And let's not forget the matter of having to run with UAC turned off in order for BD to generate a log file.


    Thank you

  • alexcrist
    alexcrist
    edited October 2009

    Please do NOT run a malware scan with AVIS, unless specifically told so by a BitDefender spet. The above article clearly states to go to the System info tab, not anywhere else. Files detected by Avis don't mean anything without specific context.


    Avis crashes might occur on Avis malware scans, but on log generations (the one that you should do) it should work without problems. Please try again to generate the log (make sure you run Avis with full administrative rights in Vista).


    As far as gmer scan goes, it detected 2 suspicious drivers in your system. Please follow these steps:


    1. start gmer and wait for the initial quick scan to end (does it show any rootkit alerts?)
    2. click on the "> > >" tab, to expand the tabs
    3. select the Files tab, where you will find an Explorer-like interface, with folders on the left and files on the right
    4. browse with gmer and try to find the following files:
      C:\windows\System32\Drivers\be424314.sys
      c:\windows\System32\Drivers\1cf59568.sys

      NOTE: Browsing with gmer might be slower than normal browsing, because it also searches for hidden (rootkit) files and foders.

    5. if you find the files, select them (one by one), and click Copy. Save the files in a new, empty folder (append the text .vir to their original filename)
    6. afterwards, put the files in an archive protected with the password infected (details in my signature), upload the archive on SendSpace and post here the download link.


    The flash ****** error has nothing to do with BitDefender, Avis and/or gmer. SendSpace uses a flash ****** to show a nice animation while uploading the file and probably that ****** froze on your system, which lead to that message. It's no big deal (it happens sometimes, on different sites).


    Usually just trying again solves the problem.


    About security.hijack, please continue in this topic (post the requested info there): http://forum.bitdefender.com/index.php?showtopic=16204


    About missing scan logs, continue here: http://forum.bitdefender.com/index.php?showtopic=16161 (I forwarded the problem, and it's being tested)


    Cris.

  • Nikilet
    Nikilet ✭✭✭
    edited October 2009

    I didn't know I was supposed to "run as administrator." Did so this time and no problems. I uploaded the file and here is the link:


    http://www.sendspace.com/file/mmzwp7


    I opened gmer and it runs that short scan on it's own. There were no rootkits shown. Then I clicked on the "Scan" again and no rootkits shown -- although I could swear the first time I ran this I seen something about rootkits at the top of the page.


    In gmer I clicked on the Files tab/Windows/System32/Drivers and then clicked on the 3 folders found there. I also followed this path in my C drive and did a search for these two files. Nothing was found either way. So if I did things right they don't seem to exist but that puzzles me because you must have found them somewhere or you wouldn't have asked me.


    I opened BitDefender/View Logs/ and under real time protection it shows a Delete on that false-positive file, for which I downloaded the patch. When I first tried to download I did it in normal mode, and then found out I should have done it in Safe mode. I did download and install patch in Safe mode without problem.


    This item is also shown -- Blocked: C\ProgramData\BitDefender\Desktop\Quarantine\temp\iMonitor.exe and describes the virus as Dropped.Generic.Malware.P!Pk!.DCFD6C1D. Again, the source of this seems to be BitDefender.


    This item is in quarantine. Should I delete it?


    I have also attached the screen shot you asked for. I did another scan with Malwarebytes tonight and it is still picking up this key. Again I am puzzled. When it originally picked up those 11 BD keys, this key was one of those. All were determined as false positives and I scanned with Malwarebytes after that and nothing was picked up -- and now it's picking up this one key again. To the best of my understanding Malwarebytes explains that this isn't necessarilly a threat, but it could mean if I haven't made any changes to my system (which I haven't) this could indicate that some malware has made a change so that BitDefender can't discover it.


    I am really concerned that all of the suspicious items that have popped up are all directly related to BitDefender. For someone who is not a computer whiz, it makes you feel rather insecure with your security program.


    I still have one question. As to this archiving, why do I have to download some zip program when Vista has a zip feature on the context menu?

    post-17054-1255768344_thumb.jpg

  • alexcrist
    alexcrist
    edited October 2009

    Temporarily disable BitDefender Realtime protection (disconnect your system from the network before doing this).


    Use gmer to find and copy (as I described above) the file:


    c:\users\cindy\appdata\local\temp\esihdrv.sys
    C:\ProgramData\BitDefender\Desktop\Quarantine\temp\iMonitor.exe


    Also, did you restart your system since you posted the gmer log? If yes, try this: make another complete scan with gmer, save the log, open it with Notepad and look for the section similar to this:


    ---- Kernel code sections - GMER 1.0.15 ----

    .text           ntkrnlpa.exe!KeSetEvent + 209
    .text           ntkrnlpa.exe!KeSetEvent + 20D
    .text           ntkrnlpa.exe!KeSetEvent + 621
    .text           ntkrnlpa.exe!KeSetEvent + 6E5
    ?               System32\Drivers\be424314.sys
    ?               System32\Drivers\1cf59568.sys

    (it is the second section from the beginning of the file).


    If there are any drivers listed there, find them (with gmer) and copy them. I ask you to look in the log yourself, because the drivers might be generated with random names on each restart.


    Put all files in a password-protected archive, upload it and post the download link.


    After you create the archive (but before connecting to the network to upload it), don't forget to re-enable BitDefender Realtime Protection.


    I have also attached the screen shot you asked for. I am really concerned that all of the suspicious items that have popped up are all directly related to BitDefender. For someone who is not a computer whiz, it makes you feel rather insecure with your security program.


    Those keys are clan and are false positives from MalwareBytes' Anti-Malware. You opened a special topic for this matter, so please continue discussion about it there, so all details about it are in the same place.


    Also, the file from quarantine will be analyzed (after you upload them) and you will get further info after that.


    I still have one question. As to this archiving, why do I have to download some zip program when Vista has a zip feature on the context menu?


    I don't know how Vista handles archiving, or if it supports file encryption. You can use whatever software you like to create those archives, as long as they have the feature of encrypting the files with a user-defined password. Encryption is critical in such cases, because it assures file integrity (all logs and samples have to reach BD Labs in their original form, without corruption).


    Cris.

  • Nikilet
    Nikilet ✭✭✭

    Cris:


    Something has got to have gone wrong here. I started that gmer scan at 9 p.m. on Oct. 17. It is now 4:51 a.m on Oct. 18 and it was still running. I saved and then stopped it. There's no way that thing can't be done after scanning for nearly 9 hours. Right at the top were the exact items that you listed below in that driver section, but how do you get to them? I tried right clicking on them within gmer and also in Notepad. Nothing happened. I tried looking in c\windows\system32 for them and couldn't find anything. I tried doing a search for them with Dk Finder (and with show hidden files and folders checked) and nothing came up.


    As far as the first two files you told me to find and copy, I find no record of them in the scan I saved. There weren't even any items for c:\users\cindy\appdata\local. It was all roaming.


    I did find that second file having to do with BitDefender quarantine in my C drive and I went through the process you explained (after installing 7-Zip). I have uploaded that and here's the link: http://www.sendspace.com/file/m2efpu


    I'm sorry but I guess you are going to have to give me more exact instructions or something. I thought you were pretty thorough but something isn't working right. When I scanned with this gmer the first time it did run for quite a long time, but not this long! And I did wait until the Stop button said Scan again, which is supposed to indicate it's done.


    I'm also going to upload the log I saved before stopping if you want to look at that. http://www.sendspace.com/file/j28g8v


    I don't know if I did the archive thing right either. I think so. I used infected as the password on both files.


    I'll wait to hear from you because I am totally stumped.

  • Nikilet
    Nikilet ✭✭✭

    Cris: I'm still waiting for a reply from you on what went crazy with this gmer scan.


    In addition to the aforementioned, for two days now every time BD opens to do a scan another little screen opens on top of it stating "This scan task is already running. Please wait for this to finish or cancel before attemtping to run it again." Now what in the heck is that supposed to mean?


    The first time this happened I immediatley noticed the warning triangle over my task bar icon and when I checked it out it said "This PC has never been scanned for viruses!" At this point about 15 scans had been performed, so I would say this all indicates a bug of another sort.

  • Nikilet
    Nikilet ✭✭✭

    Cris-I wish you would follow through with me on this so we can get it straightened out.


    BitDefender Quarantined that same infection again tonight.


    It is Generic.Malware.P!Pk!.DCFD6C1D. I have googled my fool head off and I can't find anything on this.


    The path for the first one was C\Users\Name\AppData\Local\Temp\is-UQB15.tmp


    This time it is C\ProgramData\BitDefender\Desktop\Quarantine\Temp


    So does this mean the infection is trying to get out of the BD Quarantine folder?


    I'd like to know what this is, and I'd like to be able to delete it. Would you please, please get back to me on this. If I don't get an answer by tomorrow I guess I'm going to have to contact you through PM again and I know you don't like that. I won't do it unless I have to.

  • Something has got to have gone wrong here. I started that gmer scan at 9 p.m. on Oct. 17. It is now 4:51 a.m on Oct. 18 and it was still running. I saved and then stopped it. There's no way that thing can't be done after scanning for nearly 9 hours.


    Did you change any of GMER's scan settings, from the right side of the window?


    Right at the top were the exact items that you listed below in that driver section, but how do you get to them?


    Never mind those items. I found out they are legit, and they are only created in memory (they are not physically on your hard drive).


    As far as the first two files you told me to find and copy, I find no record of them in the scan I saved. There weren't even any items for c:\users\cindy\appdata\local. It was all roaming.


    Are you sure about this? In the topic about missing scan logs you said that in BD2009 you could find the logs in VirtualStore, which is a subfolder of appdata/local.


    Also, the two files I told you about didn't appear in GMER's log. They appeared in AVIS' log.


    Also, in the log that you provided in the same topic (about missing scan logs), there is a clear presence of the Local folder, with subfolders and files. Please check again, using GMER:


    post-60-1256158033_thumb.jpg


    I did find that second file having to do with BitDefender quarantine in my C drive and I went through the process you explained (after installing 7-Zip). I have uploaded that and here's the link: http://www.sendspace.com/file/m2efpu


    This file is clean, it's not currently detected by BitDefender and, furthermore, it a BitDefender patch (related to the false positive BD had with wslib.dll a few days ago). It's not the iMonitor.exe file that I was talking about.


    Please check again and see what files you can find in C:\ProgramData\BitDefender\Desktop\Quarantine\temp\


    I'm also going to upload the log I saved before stopping if you want to look at that. http://www.sendspace.com/file/j28g8v


    Nothing suspicious appears in the log.


    As far as the first two files you told me to find and copy, I find no record of them in the scan I saved.


    I don't know if I did the archive thing right either. I think so. I used infected as the password on both files.


    They are just fine. :)

  • Nikilet
    Nikilet ✭✭✭

    I did not change any gmer settings. As I informed you in PM I can't seem to run the gmer file at all now.


    Right now there are 4 files in BD quarantine


    Secunia PSI is apparently trying to access this item with the iMonitor.exe and the DeepScan:Generic.Malware.P!Pk!.DCFD6C1D because I keep getting pop ups from BD that it is either quarantined or blocked. The PSI forum indicates that this seems to be related to Sohpos. I have no idea what this is but was wondering if it is something BD makes use of. This is what I found on it: imonitor.exe is a process associated with Sophos Remote Update (imonitor.exe) from Sophos plc


    I have attached some screen shots. I also have screen shots of the info box that came up after my Blue Screen if they would help.


    I did go ahead and send all this stuff to BD tech support, but of course I've had no response.


    post-17054-1256160812_thumb.jpg

    post-17054-1256160820_thumb.jpg

    post-17054-1256160830_thumb.jpg

    post-17054-1256160852_thumb.jpg

  • Nikilet
    Nikilet ✭✭✭

    I found some more info on this imonitor.exe associated with Sophos from two sites. Thing is, how did this get on my system since I'd never heard of Sophos until all these problems sprang up.


    File Name: imonitor.exe


    File Type: EXE File


    Also Known As: imonitor


    Associated Process: Sophos Remote Update Monitor


    Status: Not Virus


    imonitor.exe is associated with Sophos Remote Update Monitor, and is not known to be harmful to your hard drive.


    File name: imonitor.exe


    Program name: Remote Update Monitor


    Description: Sophos Antivirus Remote Update utility - provides an easy way for remote workers to keep up to date with their virus protection via a website or network connection provided by their employer


    Information added by: jsilophi at 12 March 2008


    Hint: If imonitor.exe file is a virus or trojan, we recommend to use a antivirus software or registry cleaner.

  • Nikilet
    Nikilet ✭✭✭

    Cris - I think these alerts I'm getting all have something to do with that BD patch file that I applied, fppatch[1].exe.


    When I follow the path for the location of these items that are quarantined or blocked, C/ProgramData/BitDefender/Desktop/Quarantine/Temp/iMonitor.exe, that patch is what is in that temp folder.

  • Nikilet,


    It's a good thing that you told me iMonitor belongs to Sophos. I've asked someone to check this out, and that detection is a false positive (it was detected based on heuristic scanning rules, a method used to detect new malware, but which can produce false alarms). The detection should be removed in a few hours.


    As far as BitDefender goes, it has absolutely nothing to do with that file. iMonitor is not a part of BitDefender products, nor is it used in any way by BitDefender. However it reached your computer and however it starts running are things than were not caused by BitDefender installation, nor by any of it's updates.


    However, since you have that file running in your system, are you sure that you don't also have Sophos installed and running? Maybe it came preinstalled on your computer when you bought it, or maybe someone else installed it? If it is so, I recommend uninstalling it, since multiple security solutions installed and active on the same time on your system can cause instability, crashes, performance looses and so on and so forth.


    fppatch.exe is a MSInstaller kit which contains only 3 files:


    - wslib.dll


    - productinfo.dll


    - fpfix.exe (main excutable launched by MS Installer)


    These files belong to BitDefender and are used to fix a problem with the product from about a week ago. This installer doesn't run resident in memory (it runs, does it thing and then closes...it doesn't remain loaded in memory), nor does it use the internet connection in any way. Also, you can just delete that file, since it is only meant to be run once (after which you can remove it from your system).


    Please post what other files are in BitDefender quarantine (what files appear in BD's interace, and what files are actually present on disk, in that folder).


    Cris.

  • Nikilet
    Nikilet ✭✭✭
    edited October 2009

    Nikilet,


    However, since you have that file running in your system, are you sure that you don't also have Sophos installed and running? Maybe it came preinstalled on your computer when you bought it, or maybe someone else installed it? If it is so, I recommend uninstalling it, since multiple security solutions installed and active on the same time on your system can cause instability, crashes, performance looses and so on and so forth.


    I assure you that Sophos is not installed on my computer. It did not come preinstalled. The security program that came on my computer and which I removed right away was McAfee. I had never heard of Sophos before. I have searched my C drive for "Sophos" with Vista's search, with DK Finder and with a new program I installed the trial version of a few days ago (FileLocator Pro) just for this purpose ... and nothing was found. I have searched the registry for this and nothing was found. I am the only one who ever downloads or installs anything on this computer. When my grandson comes I will sit and play games with him and other than that, I am the only one who uses this computer. When my husband wants something off the computer, he comes to me and I do the finding.


    It does seem strange that this item was never before found, not by BD 2008 or 2009 -- not until this 2010 version was installed and not until I ran that BD patch for that WSLib.dll.



    Nikilet,


    Also, you can just delete that file, since it is only meant to be run once (after which you can remove it from your system).


    I deleted that BD patch file I downloaded as soon as I finished running it.


    The file path noted for the item quarantined is: C/ProgramData/BitDefender/Desktop/Quarantine/Temp/iMonitor.exe


    When I follow the path and get to that "Temp" folder and open it, what is shown in there is not iMonitor.exe -- it is fppatch[1].exe


    Can I delete this item?



    Nikilet,


    Please post what other files are in BitDefender quarantine (what files appear in BD's interace, and what files are actually present on disk, in that folder).


    In my program face under Antivirus/Quarantine there are two items listed:


    iMonitor.exe DeepScan:Generic.Malware.P!P... C\ProgramData\BitDefen... \Temp\


    iMonitor.exe DeepScan:Generic.Malware.P!P... C\Users\Cindy\ ...\is.UQB15.tmp\


    I have already told you what is found in that "Temp" folder.


    When I follow this second path, C\Users\Cindy\ ... (I believe the rest of it is AppData\Local\Temp) I can't find this item


    is.UQB15.tmp. I opened every folder and sub folder and then there were three more temp folders labeled Temp(12), Temp(29)


    and Temp(377) and I did the same thing in those. I can't find this item.


    In C/ProgramData/BitDefender/Desktop/Quarantine


    File: BDQF_1255657911_0.bdq


    If I Right Click/Properties says it opens with Windows Shell Commor


    It was created, modified and accessed on Oct. 15


    File: BDQF_1255657911_0.xml


    Right Click/Properties says it opens with Notepad


    It was created and accessed on Oct. 15 -- Modified Oct. 22, which is today, and this is the first I have been on my computer


    today. The only thing I have done is downloaded my email, came here to the forum, opened BitDefender. I have not opened


    any other programs, including Notepad.


    And then that Temp folder with this in it: fppatch[1].exe


    Created, accessed and modified Oct. 15


    Yesterday BD Firewall placed the item in question in quarantine 8 times because psi.exe tried to access it.


    Altho I haven't been on it, I've had my computer on all day and when I checked tonight there were no instances of anything being put in quarantine. However, I wasn't here to click "Allow" or "ok" to any alerts so I don't know how that works.

  • Nikilet
    Nikilet ✭✭✭

    Sorry -- there was one more thing I wanted to tell you. Yesterday I did a full scan with Malwarebytes and nothing was found. I did a full scan with SUPERAntispyware and nothing was found, not even cookies which is unusual. I did a full scan with Spyware Doctor and nothing was found. I did a deep scan with BitDefender. It finds 13 items which are password protected and I know what those are so I'm not worried about them. So none of these programs are finding any threats.


    There is one more thing that puzzles me and that is the pop up I get every time BitDefender opens to do its scheduled scan, which just happened. I have attached a screen shot.


    And, have you heard anything from BitDefender tech support on the fact that if I turn on UAC BD will not save a log file, and, I can't even view the log file right after the scan finishes? If I click on View Log after the scan finishes absolutely nothing happens.


    post-17054-1256263736_thumb.jpg

  • It does seem strange that this item was never before found, not by BD 2008 or 2009 -- not until this 2010 version was installed and not until I ran that BD patch for that WSLib.dll.


    As I said, it was a heuristic detection. The heuristic engine is constantly updated through Automatic Updates, along with other types of malware signatures. So maybe it was just a coincidence that that particular detection was released around the same time when you used that patch.


    If the two things were actually related, then more users should have complained about it, because that patch was widely used when it was released.


    When I follow the path and get to that "Temp" folder and open it, what is shown in there is not iMonitor.exe -- it is fppatch[1].exe


    Can I delete this item?


    Could you please right click on that file, scan it with BitDefender and let me know the result?


    Basically, yes, you can delete anything in that folder. But what you are experiencing is something so unusual that I'd like to understand what happens.


    File: BDQF_1255657911_0.xml


    Could you please open that file (with Notepad, or with your internet browser) and copy the text here?


    Yesterday BD Firewall placed the item in question in quarantine 8 times because psi.exe tried to access it.


    BD Firewall doesn't move anything to quarantine because it has nothing to do with the antivirus scanning engine.


    Could you please find this file:


       C\ProgramData\BitDefender\Desktop\Events\history.xml

    put it in an archive, upload it on SendSpace and leave here the download link. I want to take a look at the complete history of actions that BD took on your system.


    Cris.

  • alexcrist
    alexcrist
    edited October 2009
    There is one more thing that puzzles me and that is the pop up I get every time BitDefender opens to do its scheduled scan, which just happened. I have attached a screen shot.


    Please try it with UAC disabled and let me know the result.


    And, have you heard anything from BitDefender tech support on the fact that if I turn on UAC BD will not save a log file, and, I can't even view the log file right after the scan finishes? If I click on View Log after the scan finishes absolutely nothing happens.


    Yes, I've heard. And I've also tested it myself on a clean Vista install (non SP). Nobody could reproduce the problem. In fact, things worked perfectly, as the logs were stored where they should be stored, they appeared in BD's interface and they could be opened without problems.


    Again, you seem to be the only one complaining about this problem, so there might be an incompatibility with some other application that you have installed which, which UAC enabled, prevents BD to store the logs correctly.


    To reach a definitive conclusion, more testing needs to be done.


    Cris.

  • Nikilet
    Nikilet ✭✭✭
    edited October 2009
    Could you please right click on that file, scan it with BitDefender and let me know the result?


    It scanned clean.


    Could you please open that file (with Notepad, or with your internet browser) and copy the text here?


     <?xml version="1.0" ?>
    <signature>
         <original size="196424" hash="FE7D3B4B91FD3A22DCE294AFF2FC39A8">
             <file sec_str="AwAAAAIAAACwAAAAAAAAAAAAAAABAASEFAAAACQAAAAAAAAAQAAAAAECAAAAAAAFIAAAACACAAA
    BBQAAAAAABRUAAACKe+EfT3zclOvXIrQBAgAAAgBwAAQAAAAAECQA/wEfAAEFAAAAAAAFFQAAAIp74R9PfNyU69citOsDAAAAEBgA/wEfAAECAAAAAAAFIAAAACACAAAAEBQA/wEfAAEBAAAAAAAFEgAAAAAQGACpABIAAQIAAAAAAAUgAAAAIQIAAA==
    " name="iMonitor.exe" path="C:\Users\Cindy\AppData\Local\Temp\is-UQB15.tmp\" attr="8224" crt="129001309462584937" lat="129001309462584937" lwt="129000063100000000" dtime="1255662463" />
             <file sec_str="AwAAAAIAAACwAAAAAAAAAAAAAAABAASEFAAAACQAAAAAAAAAQAAAAAECAAAAAAAFIAAAACACAAA
    BBQAAAAAABRUAAACKe+EfT3zclOvXIrQBAgAAAgBwAAQAAAAAECQA/wEfAAEFAAAAAAAFFQAAAIp74R9PfNyU69citOsDAAAAEBgA/wEfAAECAAAAAAAFIAAAACACAAAAEBQA/wEfAAEBAAAAAAAFEgAAAAAQGACpABIAAQIAAAAAAAUgAAAAIQIAAA==
    " name="iMonitor.exe" path="C:\ProgramData\BitDefender\Desktop\Quarantine\temp\" attr="8224" crt="129001309462584937" lat="129001309462584937" lwt="129000063100000000" dtime="1256035613" />
         </original>
         <quar qname="BDQF_1255657911_0.bdq" qhash="906CB0D49DAAF240A7D7B2D19184CC5D" />
         <data dvirus="DeepScan:Generic.Malware.P!Pk!.DCFD6C1D" dflags="4" />
    </signature>


    BD Firewall doesn't move anything to quarantine because it has nothing to do with the antivirus scanning engine.


    Sorry, just an example of how dumb I am about these things. I guess it's the antivirus that puts up these alertst then.


    Could you please find this file:


       C\ProgramData\BitDefender\Desktop\Events\history.xml

    put it in an archive, upload it on SendSpace and leave here the download link. I want to take a look at the complete history of actions that BD took on your system.


    <removed>


    Cris: I removed the link to your file because it contains your registration information.


  • Nikilet
    Nikilet ✭✭✭
    edited October 2009
    Please try it with UAC disabled and let me know the result.


    I have been running with UAC disabled all along so that I could access and view my BD logs.

  • Nikilet
    Nikilet ✭✭✭
    edited October 2009

    This is my third attempt to add more detail to this and it hasn't registered so I'm going to try one more time.


    I did the reinstall with UAC turned off. Then BD ran it's quick scan and I followed up with a system scan. I was able to view both logs. Per your instructions I turned UAC back on.


    The next day I ran a deep scan and no log. Right after this occurred I turned UAC off again and ran a scan. I was able to view the log so I have left it off. Strange thing is, it was a good week before this window started popping up, and the first time it happened there was also a warning triangle over my BD icon. When I checked it out BD was informing be that this computer had never been scanned. At this point I had done a dozen scans. Since that first time the warning triangle hasn't come back, just the window.


    Another strange thing is that if I open BD and run a manual scan I don't get the window. It only comes up when BD runs its scheduled scan.


    You never commented on the screen shot I sent you of BD telling me it blocked that gmer.exe as a potentially malicious or infected applilcation. When this happened, it happened on a fresh download of this file because I had deleted the previous one where the scan just kept running and running. Since this is one of BD's own tools I can't imagine why this would happen. And keep in mind the first time I clicked to run it I chose to "run as administrator" and it immediately brought up the Blue Screen. After restart I just clicked on it and it brought up the "block" alert.

  • OK. I got the history file and I removed the link from your post because that file contains registration information.


    As far as I can see there, the Realtime Protection logs don't indicate anything about iMonitor in C:\Users\Cindy\AppData\Local\Temp\is-UQB15.tmp\ The only references to this file on Realtime Protection are the ones from Quarantine/Temp


    So I guess that it was first detected by an OnDemand scan. There are multiple entries in History about OnDemand scans which detected infected files and solved the problems, but I don't have the scanlogs so I have no idea what files were detected (thus I assume that iMonitor was one of them).


    So to just get rid of this problem, empty BitDefender Quarantine (from it's interface) and let me know what files remain in the Quarantine folder.


    About the fppath.exe file from the Quarantine/Temp folder, since it is clean, just delete it (along with the Temp folder itself, if it remains empty).


    Also, Secunia PSI only requested network access once, about 10 days ago. What puzzles me is what alerts you saw exactly about this process, since nothing else appears in BD History. If it appears again, please make a screenshot of it and attach it here.


    About the popup that appears when a scheduled scan starts, I will try to make a few tests. If I find anything, I will give you more details.


    About Active virus Control (AVC) alerts that you receive: I noticed that you received multiple such alerts in the past few days, for multiple applications that you chose to block.


    Please read this topic about the Behavioral Scanner (AVC is a newer version of the engine presented in that topic): http://forum.bitdefender.com/index.php?showtopic=13063


    In short: those alerts do not mean that a specific process is really infected. So any process that you know and that you trust (like software downloaded from trusted sources) you are safe to allow to run. To edit the current whitelist/blacklist of AVC rules, open BitDefender Security Center (Expert mode) and go to Antivirus -> Shield and click Advanced. There you can add/edit/remove any AVC rules, or change the scanning settings.


    About gmer: I reported that detection and it will be fixed in one of the future BD updates. In the meantime, just allow gmer to run whenever BD reacts to it. The tool is perfectly safe to run. Also, if you already blocked it, go to the AVC settings (as described above) and remove it's rule.


    Also, are you by any chance running Vista x64?


    Please download the latest version of GMER and try again with Administrative credentials. Make sure you remove any "Block" rules related to gmer from BitDefender AVC.


    Cris.


    P.S.: I'm sorry I skip some things from my replies. It's not intentional. If I skipped something else (or if I'll skip again), please let me know.

  • Nikilet
    Nikilet ✭✭✭
    edited October 2009

    After I removed the 2 files in quarantine in the program face, the only thing remaining in C drive was that Temp folder with fppatch.exe in it. I also removed that folder. At this time Quarantine is empty


    Also, Secunia PSI only requested network access once, about 10 days ago. What puzzles me is what alerts you saw exactly about this process, since nothing else appears in BD History. If it appears again, please make a screenshot of it and attach it here.


    This I really don't get because that one day I think it was 8 times that BD gave me an alert that it had blocked access to this iMonitor/DeepScan:Generic.Malware.P!Pk!... and it said right on the alert: accessed by psi.exe


    About Active virus Control (AVC) alerts that you receive: I noticed that you received multiple such alerts in the past few days, for multiple applications that you chose to block.


    To edit the current whitelist/blacklist of AVC rules, open BitDefender Security Center (Expert mode) and go to Antivirus -> Shield and click Advanced. There you can add/edit/remove any AVC rules, or change the scanning settings.


    There were only 2 items listed in this spot. They were both games and it showed on both that they were "Allowed." Yet you state that events log showed I received multiple alerts for multiple applications I chose to block. The only alerts where I clicked on "OK" to allow BD to block were all those related to that iMonitor deal where it stated psi.exe was trying to access it, and the gmer.exe alert, but none of that is listed under BD Security Center/Antivirus/Shield/Advanced (in Expert Mode). So I am further confused about why they don't show up in this list as "Blocked."


    No, I am running Vista x32


    I did download that gmer file from the link you provided, but is it now necessary to run it? I kinda hate to try and run that as administrator again and end up with another Blue Screen. Is there still something from this scan that you wish to see?


    Thank you, Cris, for all the help you have given me. If appreciation were money you would be rich.

  • This I really don't get because that one day I think it was 8 times that BD gave me an alert that it had blocked access to this iMonitor/DeepScan:Generic.Malware.P!Pk!... and it said right on the alert: accessed by psi.exe


    Maybe. I never said that it didn't happen.


    The fact is that the History doesn't store info about WHAT accessed a detected file. It just stores info about the file location, detection name and action taken.


    That is why I asked you to take a screenshot when/if it happens again.


    So I am further confused about why they don't show up in this list as "Blocked."


    There are 4 "Blocked" actions in the History.


    2 of them are about gmer (as you said), one of them is about UnlockerAssistant.exe (on October 22, 2010, 4:27AM) and also one about

    C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse  Driver\KMProcess.exe

    (on October 22, 2010, 4:28AM).


    Why you didn't find rules for these programs? Because, by default, BitDefender 2010 doesn't create permanent rules. When an AVC or IDS (Intrusion Detection System) alert appears, it has 2 buttons to Allow or Block once the application in question. That popup also contains a checkbox which, if checked, a rule will be created based on your answer, so the same action will be taken automatically next time the poup should appear for that process.


    So if you (or whoever was at the computer at that time) didn't check that checkbox, then there weren't any rules created.


    I did download that gmer file from the link you provided, but is it now necessary to run it? I kinda hate to try and run that as administrator again and end up with another Blue Screen. Is there still something from this scan that you wish to see?


    No, there's nothing at this point that I want to see from gmer. If you don't want, you don't have to run it.


    Since you removed all files from quarantine, let me know if in the next few days any popups appear related to iMonitor or fppatch.exe (or anything else related to BD Quarantine).


    Cris.