[solved] Deep Scan Threat Name "dropped:generic.malware.sl!"

OzarkOutback
OzarkOutback
in Bitdefender 2009 products

I ran a deep system scan today and had 9 threats listed as follows.


Object Name Threat Name Final Status


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.2BCEA32E Disinfect Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.2DF584BC Disinfect Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.36008ECA Disinfect Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.3AB797FF Disinfect Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.40BE776F Disinfect Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.9502FDEA Disinfect Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.D06152C6 Disinfect Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.F1E2DC24 Disinfect Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.FBACB17F Disinfect Failed


So I sat up and ran a critical scan with setting to quarantine the infected items.


Object Name Threat Name Final Status


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.2BCEA32E Move to Quarantine Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.2DF584BC Move to Quarantine Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.36008ECA Move to Quarantine Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.3AB797FF Move to Quarantine Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.40BE776F Move to Quarantine Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.9502FDEA Move to Quarantine Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.D06152C6 Move to Quarantine Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.F1E2DC24 Move to Quarantine Failed


C:\WINDOWS\Installer\23578.msi=](Embedded EXE) Dropped:Generic.Malware.SL!.FBACB17F Move to Quarantine Failed


I dont know what to do next, Can someone please help me out.

Comments

  • morty43b
    morty43b
    edited December 2009

    I received the same malware prompts. Would you be running an IBM Thinkpad? I am far from an expert but it appears to me that BitDefender isolates some of the old IBM Rescue & Recovery software as malicious.

  • alexcrist
    alexcrist

    Helo Ziggy1976,


    Please find this file:


    C:\WINDOWS\Installer\23578.msi

    put the file in a password-protected archive, using the password infected. Upload the archive on a file sharing server of your choice (such as www.sendspace.com) and send me a PM with the download link.


    If BitDefender blocks access to the file, temporarily disable BitDefender realtime protection.


    @morty43b: Please follow the same advice and send me the detected file.


    Cris.

  • OzarkOutback
    OzarkOutback
    edited December 2009

    Hi Cris,


    Thanks for your response to my problem. I am using a think pad r52. Ibm has not been doing a good job of software updates and my system no longer does any updates from Ibm. Bit defender has been flagging the recovery program and its backup files as a virus for about 2 years now(I did not reflect these threats in my earlier post). These newest threats are also related to the recovery and restore program. Two years ago when I asked the bitdefender tech line 800 phone number I was told not to worry about the files, that they had to do with with recovery system by Ibm. Now at that time I wondered "Am I the only Bitdefender customer to get these files flagged as threats?" but I took their word for the truth and ignored the files. Now I am getting more of these files flagged as threats. I scanned the windows directory for the Installer file to find the listed file and I cannot even find the Installer folder. So I am unable to send you a copy of the file. I am sorry if I seem like I am being uncooperative, I have searched for the file and cannot find it. If you have any further suggestions I will happily try them. Thanks again for your time and help.


    Beth

  • alexcrist
    alexcrist
    edited December 2009

    Hello Beth,


    The detection in question here is a heuristic detection. This means that the detected files were not analyzed by anyone at BitDefender Labs. Instead, some algorithms have been created, using different advanced scanning methods, trying to detect malware which is currently unknown (or even inexistent, but when they appear, they will already be detected). In other words, heuristic scanning is used to detect unknown and new malware. The downside is that it might have false positive alerts (flag clean files as infected).


    On the other hand, nobody can say for sure if a heuristic detection is true or false. That is why getting that file and sending to analysis is critical into correcting and improving BitDefender's detection.


    Back to finding that file: the Installer folder is hidden by the operating system. If you haven't set Windows to show hidden files and folders, then you will not see that folder in Explorer.


    You have 2 options:


    - either just directly write the full path in Explorer's address bar (without filename) and hit Enter. It should go to that location, regardless of the fact that it's hidden.


    - either follow the steps presented HERE to make visible the hidden files and folders.


    About your previous problems with backup files, I don't know what happened then. If the detection was similar to this one, then it was the same case of false positive due to heuristic or generic scanning. Otherwise, I have no idea (and I can't assume anything, because I don't have more details).


    Cris.

  • peterglass
    peterglass
    edited January 2010

    Hi Cris,


    I too received the same 9 threats after using Bit Defender on my IBM ThinkPad. I disabled the Realtime Protection, but could not locate the file you wanted (I typed the file name into the address field - I also have my computer set to show all files).


    Any other suggestions?


    Thanks -


    Peter Glass

  • alexcrist
    alexcrist

    Hello Peter Glass,


    Can you tell me what Windows version are you running, and what architecture (x86 or x64)?


    Also, are you sure you typed the correct names? Also, have you set Windows to show System files (not just hidden files)?


    Cris.

  • peterglass
    peterglass
    edited January 2010

    Hi Cris,


    I am using an X86-based PC. I set Windows to show both system and hidden files. I looked under "C:\WINDOWS\Installer" but could not find the file. I also did a search on C:, but still could not find the file.


    Peter Glass

  • peterglass
    peterglass
    edited January 2010

    I forgot to mention that I am using Windows XP Pro (Service Pack 2)


    Peter

  • alexcrist
    alexcrist

    Are you sure that the item hasn't been deleted? What are your OnDemand Scan settings? (I'm interested in the Actions)


    Please edit the Contextual Scan task like this:


    - open BitDefender Security Center in Advanced Mode


    - go to Antivirus -> Scan


    - right click on Contextual scan and select Properties


    - click on Custom and change all actions to <Take no action>


    - click OK and close the BitDefender Security Center


    Then browse to the Installer folder, right click on it, and select Scan with BitDefender (or drag and drop it onto the BitDefender Scan Activity Bar). Let me know if it still detects that file.


    Cris.

  • peterglass
    peterglass
    edited January 2010

    Hi Cris,


    For my OnDemand Scan Settings (I think this is what you want), I do a Deep System Scan with the Scanning Options set to, I believe, High.


    I ran a Contextual Scan with the settings you requested. The same 9 threats were detected.


    Peter Glass

  • alexcrist
    alexcrist

    Please attach the scan log for the Contextual Scan.


    Cris.

  • peterglass
    peterglass
    edited January 2010

    Cris,


    I believe I have attachec the scan log.


    Peter

    /applications/core/interface/file/attachment.php?id=5968" data-fileid="5968" rel="">1262592317_1_02.xml

  • alexcrist
    alexcrist

    Hi,


    Follow these steps:


    • open Notepad
    • copy the following code and paste in Notepad 
      @echo off
      if not exist "C:\WINDOWS\Installer\1a863.msi" goto failpoint1

      echo File found. Attempting to copy...
      copy "C:\WINDOWS\Installer\1a863.msi" 1a863.msi.orig

      if not exist "1a863.msi.orig" goto failpoint2

      echo File copied successfully.
      goto endpoint

      :failpoint1
      echo File not found.
      goto endpoint 

      :failpoint2
      echo Failed to copy file.
      goto endpoint

      :endpoint
      pause

    • click File -> Save as...
    • select All files under the File type droplist, browse for an empty folder (if you need to, create one), and save the file with the name copyfile.bat
    • open Explorer and browse to the location where you saved the above ******, and double click it
    • the above ****** searches and copies the detected file (from your scan log). At the end of the ******'s execution, the ****** will pause and you will be able to see any errors or warnings that might have appeared during execution. Please note if any errors appear
    In the end, if everything went fine, you should find a file named 1a863.msi.orig in the same folder where you saved the ******. Please archive that file using the password infected (details in my signature), upload the archive on a file sharing server of your choice (like www.sendspace.com) and send me a PM with the download link.


    Cris.

  • peterglass
    peterglass
    edited January 2010

    Hi Cris,


    I just sent you the requested file by way of YouSendIt. Here is the link:


    https://download.yousendit.com/TzY3S3dpd0l0NjlMWEE9PQ


    Peter

  • alexcrist
    alexcrist

    Peter, you must have been a small mistake, because you sent me the copyfile.bat file, which contains the code I wrote you in my previous post. Please repeat the steps.


    Cris.

  • alexcrist
    alexcrist

    Hello Peter and anyone else interested,


    As far as I'm told, detection has been removed and is pending update. It should reach the update servers in a couple of hours. After that, you just have to update BitDefender (or let it make an automatic update) and rescan that location to check if everything is OK.


    I will post back here when the update is ready. (when the BitDefender on my system stops detecting the files)


    Thank you for your report.


    Cris.

  • alexcrist
    alexcrist

    Detection has been removed. Please update BitDefender, rescan the file, and let us know if you have any more problems regarding this matter.


    Thank you.


    Cris.

  • peterglass
    peterglass
    edited January 2010

    Hello Cris,


    I updated BitDefender and did a Deep System Scan of my complete C: drive. Except for a couple of cookies that BitDefender removed, nothing else came up.


    Thanks for working through this problem with me.


    Peter Glass

  • alexcrist
    alexcrist

    You are very welcome, Peter. :)


    If you have any other questions, please don't hesitate to post.


    Since this issue has been resolved, I will close this topic. If you need it reopened, you can use the Report button to announce the Moderating Team members.


    Have a nice day.


    Cris.


    == CLOSED ==


    == Issue solved ==

This discussion has been closed.

All Time Leaders

Categories

Defenders of the month