dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1742
share rss forum feed


Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand

AVG Free False Positive

Click for full size
False Positive
For over one week, AVG has been detecting the false positive "Trojan horse Crypt_s.BFL in C:\Users\*profile name*\AppData\Local\Temp and causing many problems with the right-click context menu and Explorer. Every time right-click is employed on a media file (and others as well), the above pop-up appears.

Since AVG does not supply free support for AVG free, I am certain others are having this problem as well since the supposed infected file is a wow64.dll and if users start searching their OS for the wow64.dll and deleting it, they are likely deleting files that are needed for the OS to operate properly and will eventually cause serious problems.

PLEASE fix this ASAP.

YES, I have run numerous scans and even a full deep scan with AVG does not show the FP.

If added to "ignore threat" or added to "exceptions", the problem persists with a pop-up stating the wow64.dll can not be loaded. I have been trying to "fix" this since it first started last week with absolutely no success.
--
"Be simple, be earnest and spread that simplicity throughout everything you do."
Expand your moderator at work


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to Sparrow

Re: AVG Free False Positive

Now I'm not a windows expert like dave See Profile, but I know in general what wow64.dll is used for, and I don't think it belongs in a temp directory under the user profile...
--
Oh, Opera, what have you done?


Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
Hi Sivran,

Of course wow64.dll doesn't belong in the Temp folder and was never there to start with, that was the FP. I wound up deleting whatever was in the Temp folder (had to use Unlocker on a few) and now I keep getting another error (screenshot), which is definitely not a system file.

I uninstalled AVG and ran ever scanner known to us, with no further detections. sfc /scannow finds corrupt files, but can't fix them. Turned off system restore, tried from safe mode, etc..., but nothing is helping. Just letting it be for now and keep searching for possible solutions.
--
"Be simple, be earnest and spread that simplicity throughout everything you do."


TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:5
That may not have been a false positive. You should to go »Security Cleanup and follow the directions here - »Security Cleanup
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

4 edits
reply to Sparrow


sparrow, i believe that AVG was alerting you to a malware-infection, as it is suppose to do..

you said that it was a false-positive because the file that was being flagged did not exist.. AVG does not flag files that do not exist.. maybe you didn't see an icon for the file and, so, you thought that the file did not exist, but, just because you don't see an icon a file, that doesn't mean that the file does not exist..

it is too bad that you are dumping AVG due to its flagging malware on your computer and, then, your believing that it was flagging a file that did not exist.. i think you should reconsider dumping AVG..

furthermore, you need to make sure that the malware has been removed, one way or another, either by "reformatting" or by getting help in one of the forums where people get help with removing malware..

in addition to dslreports' own "security cleanup" forum, some other forums, where people get help with removing malware, are:

bleepingcomputer
geekstogo


Raphion

join:2000-10-14
Samsara
reply to Sparrow
System dll being called from a temp folder is extra fishy, looks like something bad got hold of the system, in spite of AVG being there. Now at least it is showing that something is up.


Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
reply to redwolfe_98
Being pretty well-versed in the malware clean-up gamut and considering no other virus, Trojan, rootkit scanner or Malwarebytes, Spybot, HT and a host of other applications picked anything up, I'm not about to go wild with days in the clean up forum and possibly destroying other files in the process.

I forced deletion of what AVG could not remove and thus the error began. It seems to be a context menu problem and working on that when time allows. I realize the error is showing what appears to be a Trojan and searching shows others with the same problem with different random characters after \Temp\ dating back to 2009, but there was no solution in any of the posts. All threads end like this one - up in the air.

I've been using NIS since the mid-90's and was in between subscriptions, so I thought I'd give AVG a whirl. I'm back with NIS and will stay put. However, I do appreciate your post and concern.

If and when a solution is found, I will follow up here.

Thank you.
Leah
--
"Be simple, be earnest and spread that simplicity throughout everything you do."

Aranarth

join:2011-11-04
Stanwood, MI
Reviews:
·Frontier Communi..
reply to Raphion
said by Raphion:

System dll being called from a temp folder is extra fishy, looks like something bad got hold of the system, in spite of AVG being there. Now at least it is showing that something is up.

I agree 100%, the only times I have seen executables or .dll's being executed or referenced from a temp folder is after a serious security breach.

AVG is doing its job, this is not a false positive.

Here is how to get rid of that infaction manually: »blog.teesupport.com/easily-get-r···l-guide/

Note this is a trojan which means YOU allowed the infection. Recently you installed something hinky on your machine which you shouldn't have and this was the payload.

Frodo

join:2006-05-05
kudos:1
reply to Sparrow
One thing I've found out is that one can't simply find a file by eyeballing it on systems with Unicode enabled. Certain Unicode characters can change the direction of the file name from left to right, to right to left and scramble up the appearance of the file name.
»www.howtogeek.com/127154/how-hac···ensions/

So, if I didn't find the file in windows explorer, I would navigate to the folder in question with a command prompt and see what a "dir /a *.dll" shows.

I have prevented files that contain U+202E in the name from executing in software restrictions as a precaution.


Raphion

join:2000-10-14
Samsara
Reviews:
·Verizon FiOS
And of course, files belonging to the higher caliber malware won't be showing up in windows explorer at all, no matter how hard you look.

Looking for and fixing things on a really "owned" system (using said system itself) is kinda like asking a politician if he's lying or corrupt, and if so, to "please stop it".


Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
reply to Aranarth
Click for full size
If you follow all the links for removal, you'll notice they all give very incomplete directions and all point back to SpyHunter, which is not the most reputable piece of software out there and I will not download it.

I also find it odd that absolutely no other reputable antivirus, anti-trojan or malware removal application makes note of it or cross-references "Trojan horse Crypt_s.BFL". That's not to say it's not a real threat, only finding it odd.

Before I go any further, I was able to locate the file, as you can see in the screenshot.

I do not download indiscriminately and do not go to untoward websites... I am anal when it comes to security and as mentioned previously, will post back with any progress.

--
"Be simple, be earnest and spread that simplicity throughout everything you do."

Frodo

join:2006-05-05
kudos:1
reply to Sparrow
From what I can tell, this is kudos for AVG.


TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:5

1 recommendation

reply to Sparrow
Upload the file to VirusTotal at »www.virustotal.com and scan it with multiple AV engines. That will give you a better idea if it's infected or not.
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010


ZZZZZZZ
Premium
join:2001-05-27
PARADISE
kudos:1

1 recommendation

reply to Frodo
quote:
From what I can tell, this is kudos for AVG.
lol.........really and how is that?
--
Sarcasm is the body’s natural defense against stupidity.


Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand

1 edit
reply to TheJoker
Click for full size
Compliments of AVG Rescue
said by TheJoker:

Upload the file to VirusTotal at »www.virustotal.com and scan it with multiple AV engines. That will give you a better idea if it's infected or not.

It was detected as wow.dll (knew that) and many detect it under various names, but none can remove it...
»www.virustotal.com/en/file/13e1b···nalysis/
--
"Be simple, be earnest and spread that simplicity throughout everything you do."

Frodo

join:2006-05-05
kudos:1
reply to ZZZZZZZ
said by ZZZZZZZ:

lol.........really and how is that?

Because the wow.dll located in a temp folder folder and being used by svchost and rundll32 raises a red flag as far as I'm concerned. If something like that was happening, I would want to know about it.


Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand

1 edit

1 recommendation

reply to TheJoker

KAV trial to the rescue...

Click for full size
I naturally uninstalled NIS and then Spybot and Malwarebytes since I know KAV doesn't play well with them and lo and behold, KAV caught it and after a reboot the bugger is gone.

No other tool worked. KAV was simple, direct and thorough, so kudos to KAV!

Edit to add: tdssKiller did NOT detect with all available options checked.

I would recommend anyone having this problem to do what I did and download the KAV trial (which I will now purchase - sorry NIS).

--
"Be simple, be earnest and spread that simplicity throughout everything you do."


Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11

1 recommendation

Kaspersky over the last year has sparked my interest in giving it a whirl... still currently with NIS2012.

Aranarth

join:2011-11-04
Stanwood, MI

1 recommendation

reply to Sparrow

Re: AVG Free False Positive

Anyway proof positive that that you did not have a false positive. You had a true positive.


Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand

2 edits
Quite true, but would have been nice if AVG had a way to remove what it detected. Spent hours with AVG Rescue CD trying to give AVG another chance, but that failed as well. Symantec doesn't even detect the thing yet.

By the way, the only apparent problem the Trojan created was with the right click context menu. Every time I would right click (to delete, move, rename, open with, etc...), the error in my second screenshot would pop up. Had to x out the pop-up and try again. After two or three attempts, the right-click action could be completed, so it appeared to be more of a nuisance than anything else.

Also, three days before the problem started, my downstairs neighbor was obviously (giving him the benefit of the doubt) trying to set up a new printer (we share the internet connection, with my laptop being the host) as my printer printed a Windows Test Page verifying my printer had been successfully installed on my neighbor's machine. That's when the red flag went up on my end.

I immediately changed my Network settings from Home to Public, turned on Windows firewall (a must) and changed all Advanced Sharing Settings and turned off Network Discovery and all shares.

8 days later (and 5 days after the Trojan first appeared) another printer Windows Test Page came through. No settings had changed in the Network Profiles and I was a bit baffled by the additional page coming through on my printer from the neighbor. (Edit to add: Just dawned on me, it's possible he had the printer turned off and the additional page that came through was residual from the previous time when he turned the printer back on.) I might also add that the downstairs neighbor works in the industry and my suspicions started getting a bit stronger that he was trying to gain access to my machine. Haven't confronted him yet, but most certainly intend to. I can kill his connection and will do so if anything like this happens again.

So, for now, my bank accounts haven't been robbed and as you can imagine, I am keeping a very close watch on connections. Changed all important passwords after KAV removed the Trojan and keeping my fingers crossed.

Whether or not the Trojan came from my neighbor deliberately or unintentionally or I downloaded something, I can't be sure. I checked all downloads and had not downloaded anything new for 7 days before the Trojan appeared (and that was only Lenovo updates) and 10 days before that Intel updates.

So that's the whole story or at least what I can make of it.
--
"Be simple, be earnest and spread that simplicity throughout everything you do."