Jump to content

Detection of possible ransomware, no option to clean


Recommended Posts

windows 10 enterprise

possible infected program: daemon tools lite

possible infection: MSIL\AVBDiscsoft.a

 

ok so i did a scan today and detection of MSIL\AVBDiscsoft.a which eset says is ransomware but the dialog box gives me no option to clean

the program that is supposedly infected is Daemontools which is a program that's been around since forever and it's been a long time but i'm sure i downloaded it from the official site, but maybe i got phished?  i'm not a noob, so could be false positive?  idk, but to be safe i wanted to delete the files anyway. 

so i can find in c:\users\me\dtlite.exe which i deleted and  was also detected at c:\program files\daemon tools lite\setup.dll which i deleted

the other is in c:\documents and settings\me\dtlite.exe which is system folder and could only find by showing system files in windows explorer, but that directory is still inacessible.  so how do i delete that one?  and is it something i should be concerned with in the first place?

Link to comment
Share on other sites

It's not ransomware;

Quote

MSIL/AVBDiscSoft.A is classified as a file infector.
A file infector is a type of malware that has the capability to propagate by attaching its code to other programs or files

https://www.fortiguard.com/encyclopedia/virus/10141333

Quote

File infecting viruses, or file infectors, generally copy their code onto executable programs such as .COM and .EXE files. Most file infectors simply replicate and spread, but some inadvertently damage host programs. There are also file infectors that overwrite host files. Some file infectors carry payloads that range from the highly destructive, such as hard drive formatting, or the benign, such as the display of messages.

https://www.trendmicro.com/vinfo/us/security/definition/file-infecting-viruses

Link to comment
Share on other sites

  • Marcos changed the title to Detection of possible ransomware, no option to clean
  • Administrators
8 hours ago, d3adfish said:

ok so i did a scan today and detection of MSIL\AVBDiscsoft.a which eset says is ransomware but the dialog box gives me no option to clean

Please post a screenshot where ESET flagged the software as ransomware. I'd rather expect it to be detected as a potentially unwanted application. Moreover, the detection name comes from another AV maker as itman pointed out.

Link to comment
Share on other sites

4 hours ago, Marcos said:

Please post a screenshot where ESET flagged the software as ransomware. I'd rather expect it to be detected as a potentially unwanted application. Moreover, the detection name comes from another AV maker as itman pointed out.

well thanks for the reply, after i deleted the files in the first two locations it's no longer detecting the third location

so i'm guessing maybe that c:\documents and settings\me is actually the same place as c:\users\me ?  and that the third detection was actually a repeat?

and in settings i have "cleaning level" set to "always ask the end user"  because i don't want it automatically deleting stuff that is safe, like it's done to me in the past, but yeah it would be the normal pop-up telling me it's detected a potentially unwated program but in the dialog there's no option to clean or delete.  i guess at that point i would have to do a manual scan to be able to have the option to clean or delete?   (sorry i can't get screen shot, i already manually deleted file)

 

Link to comment
Share on other sites

11 hours ago, itman said:

wow, that's crazy. i have, and i'm sure lots of other people, have been using that program for prob 20+ years.  i wonder why all of a sudden they would turn a legit program into malware.  seems strange.  well thanks for the info.

Link to comment
Share on other sites

5 hours ago, Marcos said:

Please post a screenshot where ESET flagged the software as ransomware. I'd rather expect it to be detected as a potentially unwanted application. Moreover, the detection name comes from another AV maker as itman pointed out.

oh i just re-read your reply it didn't actually get detected as ransomware, i believe it was unwanted application, it was when i looked up MSIL\AVBDiscsoft.a  somewhere it said that that was used in ransomware attacks

Link to comment
Share on other sites

A fairly recent detection of MSIL\AVBDiscsoft.A at Hybrid-Analysis: https://www.hybrid-analysis.com/file-collection/651d7f7ee010e723a20317b5 with detailed analysis here: https://www.hybrid-analysis.com/sample/474e3d0c28f53b96ccd885f3b13a35868e1ff572294b89dd2bfa919722081ac0 shows the malware present in DotNetCommon64.dll.

Since this is a file infector, I would say you should at least run sfc /scannow from admin command prompt window to verify no OS files have been tampered with.

Link to comment
Share on other sites

10 hours ago, Marcos said:

Moreover, the detection name comes from another AV maker as itman pointed out.

Eset does now detect it as "A Variant Of MSIL/AVBDiscSoft.A Potentially Unwanted Application" per recent VT scan: https://www.virustotal.com/gui/file/474e3d0c28f53b96ccd885f3b13a35868e1ff572294b89dd2bfa919722081ac0?nocache=1 .

I say now since prior scan results at VT were 7 months old with only two vendors detecting it.

Edited by itman
Link to comment
Share on other sites

  • Administrators
7 minutes ago, itman said:

Eset does now detect it as "A Variant Of MSIL/AVBDiscSoft.A Potentially Unwanted Application" per recent VT

The detection is from Sept 2023 plus we'd been monitoring it for several months before.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...