Quarantining Vista Files
After an update today, May 23, I noticed Bitdefender starting flagging "PresentationCore.ni.dll" as a Gen:Trogan.Heur.PT.FF97686868. As far as I can tell this file is part of windows Vista 64 as it lives in the windows assembly directory. Has anybody else had this issue today?
Comments
-
Hello wagswvu,
Please put the file in a password-protected archive (with the password infected), upload it on a file sharing server and send me the download link through PM.
Cris.0 -
Im using BD 2009 and vista 64 bit and today (May 23) its quarintined 3 files that I dont think are viruses...
BDATunePIA.ni.dll
mcupdate.ni.exe
loadmxf.ni.exe0 -
yea same thing happened to me to
idk im waiting for an update0 -
yea same thing happened to me to
idk im waiting for an update
The same,but I have 12 files,all with .ni.exe extension and in a Windows Folder...0 -
yea i have the same files in there too
let me know if yours is back to normal0 -
yea i have the same files in there too
let me know if yours is back to normal
My computer is working fine...I think that there is a backup from a update.
I can restore the files but when the OS access to the files,or I perform a scan BD moves the files to the quarantine...=S0 -
3 of the files came up on my screen, so i did a scan of that area.
It looks like normal windows stuff, but if these are viruses, looks like a format for me!
Files Found:
path="C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\bed7c4d035cbc8ba1d0e7236fe976d39\dfsvc.ni.exe"
threatType="virus"
threatName="Gen:Trojan.Heur.PT.1078878787"
path="C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualC\2ea41002b68effe4bbfe4b3328af99e2\Microsoft.VisualC.ni.dll"
threatType="virus"
threatName="Gen:Trojan.Heur.PT.1078878787"
path="C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\a4adae08d3d98080369fe71bfe039916\BDATunePIA.ni.dll"
threatType="virus"
threatName="Gen:Trojan.Heur.PT.224AB5B5B5"
path="C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Transacti#\2791e9f0a225ed0937113ecac2245a0f\Microsoft.Transactions.Bridge.Dtc.ni.dll"
threatType="virus"
threatName="Gen:Trojan.Heur.PT.325AA5A5A5"
path="C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\351d462ee1a34cb7f7b84a0ed4434786\Microsoft.VisualBasic.ni.dll"
threatType="virus"
threatName="Gen:Trojan.Heur.PT.4820DFDFDF"
path="C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\b34836a9d51d9a17ff1be551a5809c6f\Narrator.ni.exe"
threatType="virus"
threatName="Gen:Trojan.Heur.PT.4D25DADADA"
path="C:\Windows\assembly\NativeImages_v2.0.50727_64\CustomMarshalers\2091e5dcb3509566dae4ea9c38406e86\CustomMarshalers.ni.dll"
threatType="virus"
threatName="Gen:Trojan.Heur.PT.5139C6C6C6"
path="C:\Windows\assembly\NativeImages_v2.0.50727_64\loadmxf\649161ccfa657d42c596e35b58ce2bc7\loadmxf.ni.exe"
threatType="virus"
threatName="Gen:Trojan.Heur.PT.6008F7F7F7"
path="C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\876fa3523f1baa4ffe0ed2bee091ee68\ehExtHost.ni.exe"
threatType="virus"
threatName="Gen:Trojan.Heur.PT.6109F6F6F6"
path="C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\ab7817d90407f6f544b0a858481a85c2\mcupdate.ni.exe"
threatType="virus"
threatName="Gen:Trojan.Heur.PT.6109F6F6F6"
path="C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Printing\f97882fc5b44c2c390f7c838400ed920\System.Printing.ni.dll"
threatType="virus"
threatName="Gen:Trojan.Heur.PT.85ED121212"
path="C:\Windows\assembly\NativeImages_v2.0.50727_64\System.EnterpriseSe#\9de9a1d1b0a6cf279daaf4dad0e837ac\System.EnterpriseServices.Wrapper.dll"
threatType="virus"
threatName="Gen:Trojan.Heur.PT.B1D9262626"0 -
Hello, I got this virus too. The log says it cannot be deleted heres a copy:
"C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCore\51723e8b1fff9d531f76da0f8988c584\PresentationCore.ni.dll"
threatType="virus"
threatName="Gen:Trojan.Heur.PT.FF97686868"
action="disinfect"
finalStatus= "infected"
error= "no action possible"
---Also it deleted some other assembly files. I did a scan and it found around 20-30 viruses (trojans) it deleted all of them except that one0 -
Detection for PresentationCore.ni.dll was a false alarm and was removed. Thank you for reporting.
As for the other files: please update BitDefender, restore the quarantined files, and rescan that folder. If any of those files are still marked as infected, please put them in a password-protected archive (with the password infected), upload the archive on a file sharing server, and send me the download link through PM. I will forward the for analysis ASAP. Thank you.
Cris.0 -
I updated then restored the quarintined files, then after scanning it said 22 ni files were viruses...
<AffectedItem index="0" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bf93d4841c7856e3affe423f13fa0c3\dfsvc.ni.exe" threatType="virus" threatName="Gen:Trojan.Heur.PT.1078878787" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="1" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\bed7c4d035cbc8ba1d0e7236fe976d39\dfsvc.ni.exe" threatType="virus" threatName="Gen:Trojan.Heur.PT.1078878787" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="2" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualC\2ea41002b68effe4bbfe4b3328af99e2\Microsoft.VisualC.ni.dll" threatType="virus" threatName="Gen:Trojan.Heur.PT.1078878787" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="3" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualC\b9bf52c03565d38e195d0df043881119\Microsoft.VisualC.ni.dll" threatType="virus" threatName="Gen:Trojan.Heur.PT.1078878787" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="4" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\a4adae08d3d98080369fe71bfe039916\BDATunePIA.ni.dll" threatType="virus" threatName="Gen:Trojan.Heur.PT.224AB5B5B5" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="5" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\e807fa8ad9db0d2c628da63eaa09c466\BDATunePIA.ni.dll" threatType="virus" threatName="Gen:Trojan.Heur.PT.224AB5B5B5" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="6" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Transacti#\59af69fa41812c09cee420fc19efa041\Microsoft.Transactions.Bridge.Dtc.ni.dll" threatType="virus" threatName="Gen:Trojan.Heur.PT.325AA5A5A5" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="7" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\773d7575115023a9f4373b54dfb25c2d\Microsoft.VisualBasic.ni.dll" threatType="virus" threatName="Gen:Trojan.Heur.PT.4820DFDFDF" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="8" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\ba3fd44accba7d9d28af4b975912bc4e\Narrator.ni.exe" threatType="virus" threatName="Gen:Trojan.Heur.PT.4D25DADADA" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="9" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\CustomMarshalers\2091e5dcb3509566dae4ea9c38406e86\CustomMarshalers.ni.dll" threatType="virus" threatName="Gen:Trojan.Heur.PT.5139C6C6C6" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="10" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\CustomMarshalers\86a27520282293252d47e38c8f119dd3\CustomMarshalers.ni.dll" threatType="virus" threatName="Gen:Trojan.Heur.PT.5139C6C6C6" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="11" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\loadmxf\649161ccfa657d42c596e35b58ce2bc7\loadmxf.ni.exe" threatType="virus" threatName="Gen:Trojan.Heur.PT.6008F7F7F7" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="12" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\loadmxf\f2a2f90a3ae6506156213d64e345cdfb\loadmxf.ni.exe" threatType="virus" threatName="Gen:Trojan.Heur.PT.6008F7F7F7" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="13" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\03176ba71347e1db063748c7d1c83756\ehExtHost.ni.exe" threatType="virus" threatName="Gen:Trojan.Heur.PT.6109F6F6F6" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="14" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\876fa3523f1baa4ffe0ed2bee091ee68\ehExtHost.ni.exe" threatType="virus" threatName="Gen:Trojan.Heur.PT.6109F6F6F6" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="15" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\43a1d53c5c528242cf93dd3d45b5abf6\mcupdate.ni.exe" threatType="virus" threatName="Gen:Trojan.Heur.PT.6109F6F6F6" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="16" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\ab7817d90407f6f544b0a858481a85c2\mcupdate.ni.exe" threatType="virus" threatName="Gen:Trojan.Heur.PT.6109F6F6F6" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="17" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Printing\68be15d8c8d500bd7189b75d8f0730da\System.Printing.ni.dll" threatType="virus" threatName="Gen:Trojan.Heur.PT.85ED121212" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="18" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\System.EnterpriseSe#\9de9a1d1b0a6cf279daaf4dad0e837ac\System.EnterpriseServices.Wrapper.dll" threatType="virus" threatName="Gen:Trojan.Heur.PT.B1D9262626" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="19" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\System.EnterpriseSe#\d8446cee94881b3965c19c2eaa89f1b0\System.EnterpriseServices.Wrapper.dll" threatType="virus" threatName="Gen:Trojan.Heur.PT.B1D9262626" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="20" itemType ="File" path="C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCore\c18972c0985a08c7e5f6e8d3c333d2c0\PresentationCore.ni.dll" threatType="virus" threatName="Gen:Trojan.Heur.PT.FF97686868" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
</ScanDetails>
</ScanSession>0 -
As I said, I need the files to send for analysis. Without the files, nobody can do anything. I can give at the Analysis Department only the detection names, but in this case removal will take longer.
So the easiest and fastest way is if someone who has this problem archives the files and sends them to me, as I said before.
Cris.0 -
I have a couple of files being flagged this way... Curerntly re-scanning, but I'll email them in as requested asap.
P.S. - Wow! 8 now... Still - emailing.
Edit2: Submitting from within the software instead - got cross with the files being quarantined every time I tried to zip them.0 -
Infomage, submitting from within the interface will take longer to process.
Please temporarily disable BitDefender realtime protection, restore the files, and archive them. I'll send them so this can be solved faster. Thank you.
Cris.0 -
OK - will do... it's going to take a while.
For confirmation, should I email to the generic support@ address?0 -
Please archive the files with the password infected, upload the archive to a file sharing server, and send me the download link through PM (or post it here).
Cris.0 -
OK - I am not registered with any file sharing sites and I don't have my own FTP access - where do you recommend I register?
Scratch that - found one.
Uploading now. I'll PM you the link.0 -
Detection was removed from the product. I just updated my BitDefender and the files (which I got from Infomage) are no longer detected.
Please update BitDefender and rescan the files.
Cris.0 -
Detection was removed from the product. I just updated my BitDefender and the files (which I got from Infomage) are no longer detected.
Please update BitDefender and rescan the files.
Cris.
Thank you for solve the issues
All my quarantine files are restored without a false positive
Thanks!!0 -
Glad someone could get that bagged and tagged for you "as you said".
Im updated and restored and hoping BD has gotten it straightened out. 2 days of dealing with antivirus update problems is wearing my loyalty thin.0 -
All fixed. Thanks Cris.
0 -
Glad someone could get that bagged and tagged for you "as you said".
Im updated and restored and hoping BD has gotten it straightened out. 2 days of dealing with antivirus update problems is wearing my loyalty thin.
False positives occur everyday in any antivirus software, not just BitDefender. Why this happens? Simple: because the Virus Analysts try to create different algorithms that will detect different viral behavior even before a sample of actual malware is analyzed. This method is called Heuristic scanning and is used to detect and protect from unknown malware.
And sometimes, some of these algorithms "detect" also clean files. Heuristic scanning is not exactly an "exact science". It's only based on approximations and predictions.
Now this being said... the only way to fix false positives (clean files flagged as infected, as a result of the above process) is to analyze those files and to fix the algorithms so those files aren't detected anymore. And this cannot be done without the files! And when I say once, or twice, or 3 times that someone needs to submit some samples, and the users just keep complaining about the problem, without anyone actually following my advice... well... no comment about it.
As soon as Infomage sent me the files, I submitted them and the problem was fixed.All fixed. Thanks Cris.
I'm glad I could help.
Cris.
== CLOSED (issue solved) ==0