It’s me again, and I have yet another dilemma. I recently reformatted one of my laptops and did a clean install of XP Pro SP2. After getting all the updates for XP and Office, I then installed Avast!, Comodo Personal Firewall and Bitdefender, as well as my other personal applications. Everything seems good, but then my Avast! screen-saver scanner picks up a virus in “bdss.exe” which turns out to be a component for BitDefender. The virus it picked up was “Saturday_14.669” I did some research and it turns out to be a Trojan dropper…I do scans in safe mode for viruses and spy/malware with no results…and being the paranoid person I am, I’m wondering how I get these things when I haven’t even surfed the web (other than Windows Update). All I’ve basically done is install xp and office, get updates, and install avast/comodo/bitdefender.
A similar problem happened with my Spyware Terminator (on another unit), but I thought it was a false positive, but maybe it isn’t. It wasn’t the Saturday Virus, but Tic-93. Interesting enough, both are classified as “Droppers.” I’m a little concerned, after this other incident came up.
This is a rather stupid question, but could something or these “Droppers” be “living” in my network? Virus/malware scans on my units result in nothing, but I haven’t had a chance to check the other computers in my network. I have a mixed network of hard wired and wifi. The Wifi is password protected.
The only way to know if you’re clean if going a long way journey… specially steps 4, 5 and 6, if you’re not paranoid ;D.
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.
Well bdss.exe is the bitdefender scan server, I have no idea how that works, but it may be possible that there are virus signatures used for detection within the scan server and they may be being detected by avast. I don’t know for sure not knowing how BD works it is just speculation on my part.
You could also check the offending/suspect file at the links below and report your findings. VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.
I also assume this is the free version of BD ?
Did this detection come when you were doing an on-demand scan with BD ?
Thanks for the reply guys, you’re all excellent help.
Thanks for the advice, I tried the programs you suggested, and other than cookies here and there, the programs didn’t find any threats or viruses. There weren’t any rootkits, hidden processes, spy/scum/malware, Trojans, or viruses. I also had SpywareBlaster installed initially as well as Spyware Terminator, and Spyware Terminator didn’t detect any intrusive/unauthorized access. And to be on the safe side, I also ran the above scans in safe mode as well, and came up clean.
I think I’m just being overly paranoid…when I try to overprotect myself, and all these products just conflict with each other. But I’d rather be safe than sorry.
I used both VirusTotal and Jotti and it came up clean. You are correct, I am using the free version of BitDefender v10.
The detection occurred via Avast! screensaver scanning the memory and memory blocks. The same happened in my other thread about Spyware Terminator with Tic-93.
So I’m thinking it might be another FP…but I just don’t know anymore, since it’s two different “viruses” on two different machines, in which both machines came up clean when trying to actually detect them.
Thanks again for the advice/help, I appreciate it.
If it is indeed a false positive, it may well be, if however this was a memory detection it may be that the application loads some signature files into memory to speed up scans and this could be detected. Though I can’t understand why and on-demand scanner would have a file/s loaded into memory.
Then add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.
Thank you Tech and DavidR, for the information and advice you both have offered. I’m almost certain now it’s a FP because I tested the theory by using an older machine I had and reformatted it cleanly with XP Pro and then immediately installed Avast and BitDefender free v10 from a flash drive (no Internet connection or updates). (I checked the apps on another machine to make sure they, themselves were virus free, and they were)…then I tried the memory screensaver scan, and it still came up as a virus, but oddly enough, under another name. So I’ll do as you suggested and exclude it from future scans and try to submit it as well.