Trojan.heur.11

This morning, BD quarantined Microsoft Office Activation Assistant.exe. All the other files in the directory were left where they were (screenshot attached); only this file was treated as a trojan. I've used this program in the past, so I'm not sure why it was flagged as a virus all of a sudden. How can I verify that it is infected?


Here is the log entry:


<AffectedItem itemType ="File" path="C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe" threatType="virus" threatName="Gen:Trojan.Heur.11" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


The only thing I can figure is that the folder name after ProgramData is strange (that string of numbers with curly brackets). Anyway, when I went to the folder to investigate, BD automatically removed the file to quarantine as soon as I opened the folder.


Can anyone help or tell me how I can verify the file? I'm sure I'll need to use this program again.


Thanks so much!


Karen

post-20239-1235824371_thumb.jpg

Comments

  • AndreiRC
    edited February 2009

    I've opened up my computer this morning and the BitDefender Antivirus 2009 announced me upon scanning that it found the Gen:Trojan.Heur.11 in the Microsoft Office Activation Assistant.exe file. This file was used only once when I have activated my Microsoft Office package in September 2008! No Trojans have been detected in any scans since I got BitDefender. The file has been modified last in March 2007, probably when the file was made for Office.


    What's going on? Is this a faulty virus detection?

  • I just noticed this after I posted myself in the BD 2009 forum. I got the exact same thing today with BD 2009, same file, same trojan.


    Could this be a false detection?

  • Dear AndreiRC,


    If you receive an heuristic detection you should always submit it. In this case it's a false positive. I am going to contact a virus researcher.


    Kind regards,


    Niels

  • Niels,


    The file was quarantined and I did submit it to the lab (even though BD says I didn't - not sure why it says that).


    If you need me to upload the file in question so you can check it, please let me know.


    Thanks,


    Andrei

  • Niels
    Niels
    edited February 2009

    Dear farrelldoc,


    Thank you for reporting this.


    Heuristics detections should always being submitted. You can regcognize them by .heur or behaves like ... detections.


    In this case it's a false positive. Can you please attach the detected file? First you need to temporary disable the realtime protection. I assume that you are still using version 2008 because you have posted here. Right click on the red BitDefender icon near the system tray and click on open advanced settings now go to antivirus,shield, uncheck real-time protection is enabled and choose 1 hour. Now navigate to quarantaine area and select Microsoft Office Activation Assistant.exe and press on restore. Now add Microsoft Office Activation Assistant.exe as an attachment to your next post and upload it. To upload a file you need to scroll untill you see the attachments section (when you are in the screen of creating a reply or a new topic) press on browse and go to the location of Microsoft Office Activation Assistant.exe press on open and on upload. It might be that you need to compress it. So a virus researcher can download it to make an exception.


    Kind regards,


    Niels

  • Dear AndreiRC,


    Sending trough quarantine isn't the quickest way. Or did you mean that you asked support? I contacted a virus researcher and I was asked that you upload it here on this forum as an attachment.


    Can you please attach the detected file? First you need to temporary disable the realtime protection. Open BitDefender and switch to advanced view. Now navigate to the antivirus section uncheck real-time protection is enabled and choose 1 hour after that go to the quarantine area and select Microsoft Office Activation Assistant.exe and press on restore. Now add Microsoft Office Activation Assistant.exe as an attachment to your next post and upload it. To upload a file you need to scroll untill you see the attachments section (when you are in the screen of creating a reply or a new topic) press on browse and go to the location of Microsoft Office Activation Assistant.exe press on open and on upload. It might be that you need to compress it. So a virus researcher can download it to make an exception.


    Kind regards,


    Niels

  • Dear farrelldoc,


    Thank you for reporting this.


    Heuristics detections should always being submitted. You can regcognize them by .heur or behaves like ... detections.


    In this case it's a false positive. Can you please attach the detected file? First you need to temporary disable the realtime protection. I assume that you are still using version 2008 because you have posted here. Right click on the red BitDefender icon near the system tray and click on open advanced settings now go to antivirus,shield, uncheck real-time protection is enabled and choose 1 hour. Now navigate to quarantaine area and select Microsoft Office Activation Assistant.exe and press on restore. Now add Microsoft Office Activation Assistant.exe as an attachment to your next post and upload it. To upload a file you need to scroll untill you see the attachments section (when you are in the screen of creating a reply or a new topic) press on browse and go to the location of Microsoft Office Activation Assistant.exe press on open and on upload. It might be that you need to compress it. So a virus researcher can download it to make an exception.


    Kind regards,


    Niels


    Thank you. However, it would not let me attach the file, either as an .exe or a .zip file. It said I can't upload that type of file.

  • AndreiRC
    edited February 2009

    It was sent through the quarantine. Alright, I'll keep in mind not to do that in the future.


    Alright, I'll upload the zipped file here.


    Unfortunately, I'm having a problem uploading the zipped file. It says "Upload failed. You are not permitted to upload this type of file." Can you help me?


    Same problem with the .exe file, I cannot upload it.

  • Due to changes in the board uploads are currently disabled. Please upload the file to a public file sharing site or contact support and they will tell you how to send the files in for analysis.

  • Ok, as Catalin suggested in the other forum, I have uploaded the file to a public filesharing site.


    Here's the download link


    http://rapidshare.com/files/203682877/Micr...istant.zip.html

  • Detection has been scheduled for removal. Thank you for reporting.

  • Thank you, Catalin. :) Let us know when we can take that file out of quarantine.

  • Heuristics detections should always being submitted. You can regcognize them by .heur or behaves like ... detections.


    I just bought BD yesterday because of a "Congratulations, you've won" announcement that kept coming up. Following my scan, I had the same file (trojan.heur.11) that had no action available. Should I send this to you, as well?

  • Niels
    Niels
    edited March 2009

    Dear AndreiRC,


    You don't have to restore them because BitDefender can automatically restore quarantined items that were false positives after an update is released with an exception for the file. That feature is only available in BitDefender 2009. To check if that option is enabled please go to antivirus,quarantine,settings,scan quarantined items after update be sure that restore clean files is checked.


    Kind regards,


    Niels


    Dear dr_al,


    Yes, please send the file also. You need to upload it also on a online file host.


    Kind regards,


    Niels

  • AndreiRC
    edited March 2009
    Dear AndreiRC,


    You don't have to restore them because BitDefender can automatically restore quarantined items that were false positives after an update is released with an exception for the file. That feature is only available in BitDefender 2009.


    Kind regards,


    Niels


    Niels,


    Ah, so BD 2009 is going to restore that file automatically then. Ok, thanks for the info.


    Andrei


    P.S. Yes, Restore Clean Files is checked.

  • This morning, BD quarantined Microsoft Office Activation Assistant.exe. All the other files in the directory were left where they were (screenshot attached); only this file was treated as a trojan. I've used this program in the past, so I'm not sure why it was flagged as a virus all of a sudden. How can I verify that it is infected?


    Here is the log entry:


    <AffectedItem itemType ="File" path="C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe" threatType="virus" threatName="Gen:Trojan.Heur.11" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


    The only thing I can figure is that the folder name after ProgramData is strange (that string of numbers with curly brackets). Anyway, when I went to the folder to investigate, BD automatically removed the file to quarantine as soon as I opened the folder.


    Can anyone help or tell me how I can verify the file? I'm sure I'll need to use this program again.


    Thanks so much!


    Karen


    :rolleyes:


    I believe that this file came on new computers with Microsoft Office Suite 2007 trials. The activation assistant is the program that coordinates the online download and registration for the Office Suite so that it can be purchased and a registration key generated. I am not going to go out on a limb and say it should be/could be deleted or uninstalled. I plan to do more research into this possibility however because I think it may be an unnecessary program since I have already installed a registered copy of Office Professional 2007. BTB, best price was at Costco.

  • Just wondering if this problem was fixed. My file is still in quarantine and I thought maybe this was fixed and the Restore Clean Files wasn't working properly or something.

  • rootkit
    rootkit ✭✭✭
    Detection has been scheduled for removal. Thank you for reporting.


    It's just a FP, you can take that file out of quarantine and add it to Exclusions until the update :)

  • Ah, so the update wasn't done yet. It will probably take a while longer then.


    I think I'll keep it in quarantine, no harm done if it's there. :)

  • Yep, it is, it doesn't report it anymore. Maybe the Restore Clean File wasn't working properly then. I restored it myself.


    Thanks! :)

  • Another victim of the heuristic... :(


    http://rapidshare.com/files/206248852/files.zip.html


    Note: These files are split in two folders because one is different of each other.


    They're some screensavers that I made it for two of my websites. I'm sure they're clean but from one of latest updates Bitdefender says they have Trojan.Heur


    Best Regards,


    Leonardo

  • Dear user. Removing the detection will require a bit of work on the heuristics and this might take a day or two. Please post back then. If detection has not yet been removed, we should have a more accurate answer. Thank you.

  • Ok, I will let you know. Thanks.


    Best Regards,


    Leonardo

  • csalgau
    csalgau ✭✭
    edited March 2009

    Ok. so it's two days now.


    It's been the weekend and I was given "if I have time" for this one.


    And apparently my collegue "didn't have time".


    So I'll put in a workaround now and I'm hoping for a fix in the next 16 to 24 hours. Should be in place with the next update.


    Hope that's ok.

  • Ok. Thanks ;)