False positive
To whom it may concern,
I have adaware 11 total security and when I activate the Blizzard launcher, and it tries to update itself i get a warning that a virus has infected my system. It is listed as Gen:Heur.Krypt 69 with the
following path of \\?\C:\Program Files (x86)\World of Warcraft\Wow.exe.temp. This is not a virus. It only happens when I update with the blizzard launcher. I can no longer add the file to my whitelist by right-clicking on
the warning (bad thing to remove imo). I tried adding world of warcraft.exe and similar programs to my white list by manually finding them but this one i can't (I'm guessing because Blizzard often makes temporary
files for updates and I don't know where it is. I have tried to re-install the game as well, which also didn't work. Please help.
-
Does anyone know how to add a program to the whitelist manually? Instead of using the browse function? thanks.
0 -
I have exactly the same problem with the blizzard launcher for SC2...and Steam...and most of my Dell drivers..I haven't really gotten a good answer from support other than add them to the whitelist...which doesn't work for me..
I added the program file folder to the whitelist by using windows explorer and copying and pasting the filepath directly into the whitelist (press add, and then paste in the field)...I would love to hear if support gives you any advice...
0 -
Hi poepouri and msalt0,
Please, follow the guide http://www.lavasoftsupport.com/index.php?showtopic=18033 to give Lavasoft all the information they need to be able to investigate if it is a false positive.0 -
As requested
Hi poepouri and msalt0,
Please, follow the guide http://www.lavasoftsupport.com/index.php?showtopic=18033 to give Lavasoft all the information they need to be able to investigate if it is a false positive.
Hi CeciliaB, I have uploaded the documents including logs, report, screenshot of file paths and one of the filesadaware11.zip
0 -
Hi msalt0,
Thanks for uploading the file. At first glance the fixdamage.exe detection looks like an FP, but I'll investigate further.
Would it be possible to upload the other detected files also?
Regards,
Andy
Lavasoft Malware Lab
0 -
Hi poepouri,
Same question to you - can you upload the detected files here?
Andy
0 -
To Whom it May concern,
I figured the issue out. Blizzard's updater creates a tempory update file called wow.exe.temp. It exists for a few seconds than vanishes, and only exists when the launcher is updating. I can't upload it because again, it vanishes very quickly. It can be avoided by excluding the world of warcraft folder (something the guy i called on the phone from support really should have known . .). My guess is like many things Blizzard does, it's one of many security measures they use to ensure their software isn't hacked or if it is, they know what's doing it. The issue is fixed now, but thank you for responding.
0 -
@ msalt0,
The file contains code that is consistent with the Win32.Expiro.BK virus family. According to the log file there are several files detected with the same name - it appears that quite a few legitimate files on your machine have been infected by the virus. The detection of the file you uploaded (BTW, thank you - it made investigation much easier) is not a false positive. Hope this helps.
Regards,
Andy
Lavsoft Malware Lab
0 -
Hi Andy,
Thanks for letting me know - the interesting thing is that I just re-downloaded the startcraft files and it immediately happens (the files are all quarantined) when I try to launch the files - so it does not seem to matter if I allow ad-aware to clean the files, I cannot re-download them without the same issue occurring. I am a little confused on how to proceed: I can let ad-aware clean the files, but then the programs become unusable (the blizzard launcher/updater, etc.)
Advice? Should I upload the blizzard files as well to check?
0 -
Hi msalt0,
It's probably good if you can provide Andy with as many files as possible.
0 -
as requested, I have uploaded more files - any help in identifying if I really have true or false positives would be great. there is a large file (55mb) that I cannot upload due to size limitsadaware11.zip
0 -
New folder (2).zipadditional files - I update steam and as they downloaded via steam update they were quarantined.
0 -
Sorry, for the late reply but Lavasoft is still investigating this issue.
Thank you for all your files
0 -
Sorry msalt0, but you have a file infector malware in the computer. Win32/Expiro is a virus that infects all program files in all drives and collects passwords etc. It also opens a backdoor to the computer to let someone control the computer from internet, and lowers Internet Explorer security settings. If you have several computers in a local network, it will try to spread to the other computers through shared folders. You can read about it on http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/viruswin32expironab .
The recommendation is that you reinstall Windows, since no program file can be trusted, every tool you download will be infected and it's possible that Ad-Aware files are infected, too, and therefore Ad-Aware can't be trusted to detect or remove it. Since the infection steels passwords, certificates (e.g. for accessing banks), it's necessary to change all passwords you use on different websites from a clean computer and contact your bank.
AVG has a tool that tries to disinfect the files, by running it you maybe can use the computer enough to be able to take backups of files you want to keep. Note, you can't backup any program files, if you run them after the reinstallation of Windows, they will infect the computer again. You only can backup documents, photos and films etc.
0
Vous devez vous connecter pour laisser un commentaire.
Commentaires
14 commentaires