Gen:Trojan.Heur.A423DCE978
Hi Cris,
My laptop has the Gen:Trojan.Heur.A423DCE978 in C:\System volume ...
Should I follow your instruction with AVIS and send you the log too? Can I not send an attachmnt to the forum (there's an upload button I see) rather than rapidshare (never used before). What exactly is PM?
According to the latest deep scan (Pls see attached log), there's also an infection threat name: "Application.Generic.23017" in 3 objects, two in archive and one "Disinfect Failed". What should I do with these?
Thanks for your help.
CPS
Comments
-
Hello CPS,
Please find this file:C:\Program Files\unispim30.msi
put it in a password-protected archive, with the password infected, upload the archive on a file-sharing server and send me the download link by PM.
As for the detected file from System Volume Information, please read this topic: http://forum.bitdefender.com/index.php?showtopic=3575
Follow the steps presented there and post back if you can solve the problem.
Cris.0 -
Thanks Cris,
How do I put a file in a password-protected archive?
Is yousendit.com a file-sharing server that I can use?
CatherineHello CPS,
Please find this file:C:\Program Files\unispim30.msi
put it in a password-protected archive, with the password infected, upload the archive on a file-sharing server and send me the download link by PM.
As for the detected file from System Volume Information, please read this topic: http://forum.bitdefender.com/index.php?showtopic=3575
Follow the steps presented there and post back if you can solve the problem.
Cris.0 -
How do I put a file in a password-protected archive?
How to archive a file using a passwordIs yousendit.com a file-sharing server that I can use?
Yes, it is.
Cris.0 -
Thanks Cris,
I followed your lead about System Volume Info, and seemed to have got rid of the Gen:Trojan.Heur.A423DCE978.
I have also now installed IZArc for archiving.
BUT earlier today I made the mistake of deleting the unispim30.msi from the 3 locations (including in Program Files) where it was detected, thinking that it might solve the problem.
When I scanned the laptop again, I found that the threat Application.Generic.23017 is now infecting three different objects and unispim30.msi seems to be still associating with these, although in a strange "RECYCLER" folder. This folder or the unispim file cannot be found even with hidden and Program files being searched.
I have no idea how to locate unispim30.msi to upload for you to see. What should I do now?
Attached pls find the latest scan log.
Grateful for your help.
CatherineHello CPS,
Please find this file:C:\Program Files\unispim30.msi
put it in a password-protected archive, with the password infected, upload the archive on a file-sharing server and send me the download link by PM.
As for the detected file from System Volume Information, please read this topic: http://forum.bitdefender.com/index.php?showtopic=3575
Follow the steps presented there and post back if you can solve the problem.
Cris.0 -
Please open Recycle Bin on your Desktop and restore the 3 files. Please DON'T permanently delete them. We need them for analysis.
Then find the one in Program Files, archive it and send it to me (as I said above).
Cris.0 -
Hi Cris,
Here's the link for the file to be analysed:
http://www.yousendit.com/download/MnFpak8rdzhqY3FGa1E9PQ
Hope it works. Thanks again.
CatherinePlease open Recycle Bin on your Desktop and restore the 3 files. Please DON'T permanently delete them. We need them for analysis.
Then find the one in Program Files, archive it and send it to me (as I said above).
Cris.0 -
It seems to be somekind of Adware application (as far as I can tell).
You should be able to remove it from Add/Remove Programs in Windows Control Panel (the first and the last programs in this list):
The application is in Chinese (probably) and I couldn't read any of those characters. This screenshot is the much I can provide.
There is also an entry in StartMenu which might help you uninstall it.
Try to uninstall it, and see if the 3 files which are detected are removed. There should also be other components of this application that are detected by BitDefender.
The fact that the detection is named Application. means that it's not a high-risk threat. In this case, it's most likely just annoyance. If you don't really need this application, you should remove it from your system (and Add/Remove Programs would be the best approach, instead of just deleting a few files).
If you want, I can forward this application to the Analysis department, so one of BitDefender Virus Analysts can take a professional look at it. But my guess is that this detection is correct and my advice, as I said, is to remove this application if you don't really need it.
Cris.0 -
Strangely, I cannot see either of the two programs you identified in my Add/Remove Programs window. I think I know one of the two chinese characters (as I did try to install it over a year ago, but it didn't work & I thought I already uninstalled it). Are there other ways of revealing them and uninstalling them?
What about the password protected files that cannot be scanned? Are they important? I did try to extract them with IZArc but got errors every time. Any special trick to extract and get them scanned?
All the identified objects that cannot be scanned are all Spybot related (My laptop has 4 and my PC has 55!). e.g. C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDHelper.zip=]sbRecovery.reg
In my PC, the spybot related files are all under drivers and include various file types (.exe .sys .inf .cat .cpl .ini)
CPS0 -
Strangely, I cannot see either of the two programs you identified in my Add/Remove Programs window.
The first two files, located in C:\Documents and Settings\HP\Desktop\ (and in one of it's sub-folders) are part of the original installation kit. Those two you have to be manually removed.
About the third one, C:\Program Files\unispim30.msi... I double checked my results and it seems this file is not part of the installed application. It's just the installer. You will also have to remove it manually.
After you delete the files, also open Recycle Bin and empty it.
If you already tried to uninstall it in the past, chances are that you succeeded in removing it.
Just to double-check, this is a list of files generated by the installer:
- in C:\Windows\Downloaded Program Files:- BDHelper.dll
- BDPlugin.dll (detected by BitDefende)
- BDSrHook.dll (detected by BitDefender)
- unispim.ime
- upengine.dll
- version_BDH
- a folder called unispim which contains multiple files
What about the password protected files that cannot be scanned? Are they important? I did try to extract them with IZArc but got errors every time. Any special trick to extract and get them scanned?
As I said above, if you don't know the password, you cannot open the archives. And since you didn't create those archives, you don't know the password.
Also, you don't need to worry about them, since they are archived and don't represent any threat to your system while they are archived.All the identified objects that cannot be scanned are all Spybot related (My laptop has 4 and my PC has 55!). e.g. C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BDHelper.zip=]sbRecovery.reg
In my PC, the spybot related files are all under drivers and include various file types (.exe .sys .inf .cat .cpl .ini)
You can probably remove those files by opening SpyBot and empty-ing all restore points or backups, and the quarantined files.
SpyBot, as well as all other security applications (even BitDefender) keep some backup data, or quarantined files. This happens in cas you want to restore anything that the application removed. It normal, and since we are talking here about trusted security applications, those files are secured and don't represent any threat. You don't have to open those archives to scan the files.
You can ignore those alerts.
Cris.0
