Virus!

Haakon
edited July 2007 in Malware talk

I just downloaded Bitdefender for the first time, and had a scan. I found a virus called Trojan.Downloader.Agent.YIQ


Im not a pro, so...How do i remove the virus??

Comments

  • Hi Haakon,


    I moved your topic to a more appropriate section.


    Please post the path of the infected file. You can open the BD Scan log and copy here the paths of the file(s) that were found as infected. Don't add the log as an attachment, because on this section only BD Virus Analysts can download them. Just write in your post the paths.


    Cris.

  • Haakon
    edited July 2007

    Virus Statistics


    Scan path : C:\Program Files\Knight Online\XPatch.exe


    Folders : 0


    Files : 1


    Memory processes scanned : 0


    Archives : 0


    Runtime packers : 0


    Identified viruses : 1


    Infected files : 1


    Memory processes infected : 0


    Suspect files : 0


    Warnings : 0


    Disinfected files : 0


    Deleted files : 0


    Moved files : 0


    I/O errors : 0


    Scan time : 00:00:02


    Scan speed (files/sec) : 0


    Virus definitions : 697924


    Scan plugins : 16


    Archive plugins : 41


    Unpack plugins : 6


    Mail plugins : 6


    System plugins : 5


    Virus scan options


    Detection


    [ ] Scan boot sectors


    [ ] Memory Processes


    [X] Scan archives


    [X] Scan runtime packers


    [X] Scan email


    File mask


    [ ] Programs


    [X] All files


    [ ] User defined extensions:


    [ ] Exclude extensions: ;


    Action


    Infected objects


    [ ] Ignore


    [X] Disinfect


    [ ] Delete


    [ ] Move to quarantine


    [ ] Prompt user


    Second action


    [ ] Ignore


    [ ] Delete


    [X] Move to quarantine


    [ ] Prompt user


    Virus scan options


    [X] Enable warnings


    [X] Enable heuristics


    [X] Show all files in log


    [X] Report file: C:\Users\Håkon\AppData\Roaming\BitDefender\Desktop\Profiles\Logs\contextual\1185908057.log


    Spyware scan options


    [X] Scan for riskware


    [ ] Skip dial and applications from scan


    [ ] Registry keys


    [ ] Cookies


    Summary:


    C:\Program Files\Knight Online\XPatch.exe Infected: Trojan.Downloader.Agent.YIQ


    C:\Program Files\Knight Online\XPatch.exe Disinfection failed


    C:\Program Files\Knight Online\XPatch.exe Move failed


    Scanned files


    C:\Program Files\Knight Online\XPatch.exe Infected: Trojan.Downloader.Agent.YIQ


    C:\Program Files\Knight Online\XPatch.exe Disinfection failed


    C:\Program Files\Knight Online\XPatch.exe Move failed


    This one?

  • Hello Haakon


    Could you please post a downloadlink where you download the patch?


    Upload the patch to this website: http://www.virustotal.com and post the result. I suggest that you also archive XPatch.exe in password protected archive with the following password: infected and attach it to your next post.


    Regards


    Niels

  • Could you please post a downloadlink where you download the patch?


    Do not post the link. Other users might access it and they might get infected.


    Instead, write it in a Text file and attach it to your post. This way, only BD Virus Analysts can take a look at it.


    Cris.

  • Hello Haakon


    Sorry I meant that you also have to add the link in you archive. I thought that I wrote that but that wasn't the case.


    Regards


    Niels


    Thanks Cris for correcting me.

  • Haakon
    edited August 2007

    It doesnt work to archive it with password. I've tried WinRar and WinZip.


    When i use WinRar i get this error: XPatch.zip: Cannot create XPatch.zip


    And WinZip: Error: You are trying to create a new Zip file on a disk that is read-only (C:\Program Files\Knight Online\XPatch.zip)


    I used the "Virus Submission" guide.

  • alexcrist
    alexcrist
    edited August 2007
    It doesnt work to archive it with password. I've tried WinRar and WinZip.


    When i use WinRar i get this error: XPatch.zip: Cannot create XPatch.zip


    And WinZip: Error: You are trying to create a new Zip file on a disk that is read-only (C:\Program Files\Knight Online\XPatch.zip)


    I used the "Virus Submission" guide.


    The reason why you couldn't make the archive was because BitDefender was blocking the source file (the infected file).


    Before attempting to make the archive you should have disabled BD Realtime Protection. You have to be very careful not to open an infected file while BD is disabled and to re-enable BD Realtime Protection once you finished the archive. This is said very clearly in the "Virus Submission" guide.


    Following these steps will surely allow you to make the protected archive.


    Cris.

  • Im sorry, but..What if I was wrong? I found this post at the Knight Online forum, where it was written:


    "Many people are concerned about certain anti-virus programs detecting a Trojan Virus in the Knight Online executable that is packed in the latest patches from K2 Network. Our Quality Assurance department has installed these anti-virus programs, scanned the Knight Online files and determined these reports to be FALSE POSITIVES. We will be contacting the larger anti-virus companies to update their databases to remove these false positives. Rest assured that the files that are distributed by K2 Network do not contain viruses or other harmful files."


    Maybe its just a false positive? Is BitDefender one of those antiviruses? I have had many searches with Ad-Aware too, but it couldnt find anything.

  • We are looking into this matter now. If it is indeed a false positive, detection will be removed.

  • Niels
    Niels
    edited August 2007

    Hello Haakon


    What you always can do is just add the downloadlink and attach that at your next post. I downloaded a patch for knights online and the installers drops executable files in system 32 folder which is very suspecious for a patch. It's a forum site of Knights online.


    Regards


    Niels


    Downloadlink attached where I found the infected one.

    /applications/core/interface/file/attachment.php?id=397" data-fileid="397" rel="">xpatch.rar

  • Well, XPatch was a piece of the installation package. I did not install or download it later.

  • Hello Haakon


    I downloaded only the executable (xpatch.exe) from that source where I attached the link. That caused that strange behaviour. But it could be that wasn't the real patch. It was located on a Knights Online forum.


    So I still recommend to help the virus researchers that you still add the link where you downloaded xpatch.zip from. That is easier for them.


    Regards


    Niels

  • Haakon
    edited August 2007

    Here it is? I hope it was right just to copy / paste the link into attachments..


    Seriously..I have no idea how to do this.

  • Niels
    Niels
    edited August 2007

    Hello Haakon


    I will explain it to you. Edit your post choose for full edit in the attachments sections by select a file press on browse now you must navigate to the text file where you wrote the downloadlink click on ok to finish press on upload. That is all what you have to do.


    Regards


    Niels