Adam Drozd

EEK Signature Virus.

Recommended Posts

I am using EEK version 10. Today at 15:11 ( polish timezone) I started signatures update. Everything was fine until my antivirus( microsoft security essentials) automatically deleted virus( real time protection). It appeared werid  beacuse I have scanned my PC with hitman pro, MSE  and malwarebytes today before and no softwares were run since. Malwarebytes is free version ( no real time protection) and MSE has real time protection. Hitman pro is quite obvious ( both normal scan and early warning scoring were run). My MSE detected virus which location was:

file:C:\Users\Adam\AppData\Local\Temp\EEK\a2temp\_up_\bin32\Signatures\BD\cevakrnl.rv0.diff

More info:

Virus :DOS/Antiexe

Kod błędu: 0x80508023. Program nie znalazł na komputerze złośliwego oprogramowania ani innego potencjalnie niechcianego oprogramowania. 
I'm polish so quick translation:
Error Code:0x80508023 Software didn't find any threats nor pups.
It was found on windows 7 x64 home premium. Firewall was on. System was clean. As i previously said scanned with hitman pro, MSE and malwarebytes( all were ran separetaly so they shouldn't interrupt each other) I usually turn off MSE while scanning with EEK, Malwarebytes and Hitman pro not to interupt the scan but today, while updating eek, i forgot to do so, so it may be a cause of such weird occurance but i just want to ensure that my pc is clean. 
After this event i ran all my softwares( separately!) and nothing was detected, but do you have any other way to ensure that my system is clean?
Thanks for replies!

Share this post


Link to post
Share on other sites

Well the file itself was deleted by the MSE. I can only allow the software to run but i have no idea if it will do and restore the file. Let me know if it can be restored that way and not cause any further harm. 

I guess that you can rearrange the occureance simply by updating the software and looking for file cevakrnl.rv0.diff in the signatures folder.

Well it shouldn't be hijacked by any kind of software beacuse my pc was clean in 99% percent before ( scanned with hitman pro ( early warning, default) MSE, EEK, Malwarebytes, furthermore any unknown pages weren't visited for atleast one month...)

The only thing that comes to my mind is that someone could have brought into my router but it's still very unlikely. So if you could do such a try it would be very appreciated but if not just let me know if allowing this file will restore it ...

Futhermore i can provide you with screenshoots, logs whatever you like.

TY for response

Share this post


Link to post
Share on other sites

I can find cevakrnl.rv0 on my machine in EEK updates list. But nothing with .diff or.old.

 

Are you really using EEK version 10 or was that just a posting error?

Share this post


Link to post
Share on other sites

Hello,

Thank you for reporting this issue. To me it sounds like a false-positive, but no worries, if the file was deleted and it does in fact belong to Emsisoft's signature updates, it will be redownloaded next time an online update is run.

If the detection occurs again and you are able to save a copy of the file, please feel free to attach it to a post or upload it to http://www.virustotal.com

Share this post


Link to post
Share on other sites

Fine. I will try updating the software once more time, and if it will be deleted, i will turon off microsoft security essentials and provide you with the said file. Thanks for your assistance.

And what about allwoing it to run, will it resotre it?

 

. Acutally it is Emsisoft version 10.0.0.5973.

 

@Update. I have tried updating software one more time and nothing went wrong this time. No idea why it was wrong before. So what about restroing this file for further tests?

Share this post


Link to post
Share on other sites

Acutally i have already done so. Tried updating again and nothing occured this time. But i'm quite curious what was the reason of that occurance. If it was false-positive i think it would be detected once again but it wasn't... And still you say you don't have the said extenction which was:cevakrnl.rv0.diff It's quite strange acutally. Still i don't think it could have been done by any kind of malicious software ( my pc was scanned by hitman, eek, malwarebtes , mse just before and only website i visited since was YT but after that visit i scanned my pc with hitman) So i have no idea.

So by allowing the file to run does it mean to restorie it if it had been deleted automatically?

Share this post


Link to post
Share on other sites

The file in question contained the changes that were added to one of the BitDefender database files since the last time you had downloaded updates in EEK (this can be referred to as a "diff" file, since it contains the differenced between two versions of the same file). If it doesn't get detected again, then it is possible someone else already reported it to Microsoft, and it's been fixed already.

As for why it happened, it was more than likely an inaccurate heuristic detection on MSE's part (essentially a mistake). While it doesn't happen very often, it has happened before, and MSE isn't the only anti-virus software that has done it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.