Author Topic: Cycbot-KI - False positive? Scared about rebooting  (Read 15165 times)

0 Members and 1 Guest are viewing this topic.

austea

  • Guest
Re: Cycbot-KI - False positive? Scared about rebooting
« Reply #15 on: September 27, 2011, 12:29:28 AM »
I'm only doing a weekly quick scan but caught this problem. Can you tell me as a newbie what I should do in the future when avast recommends putting something it's found into the chest? ???

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Cycbot-KI - False positive? Scared about rebooting
« Reply #16 on: September 27, 2011, 01:37:55 AM »
Putting it in the chest is preferable to deletion as you have no options left. This gives time to investigate and I would decline the suggestion to do a boot-time scan until you investigate as it is possible to manually schedule a boot-time scan later.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

lplimac

  • Guest
Re: Cycbot-KI - False positive? Scared about rebooting
« Reply #17 on: September 27, 2011, 03:50:54 AM »
I had the same problem a couple hours ago. I found three instances of 'Win32:Cycbot-KI [ trj ]. I decided to let avast do its thing and after restarting my computer I wasn't able to open most .exe applications and avast was disabled. It was a little frustrating but i found a fix for anyone else with the same problem. (On windows 7) Go to Start/Search and type CMD In the Search Results right click Command Prompt and choose Run as Administrator. In the Command Prompt type SFC /Scannow. Once it's finished corrupted files will be repaired and your .exe's will work once again. cheers.

Thank you! Had the same problem, followed your directions and everything worked perfect afterwords.

UserofAvast

  • Guest
Re: Cycbot-KI - False positive? Scared about rebooting
« Reply #18 on: September 27, 2011, 04:08:55 AM »
Newest definitions update seems to have fixed the problem for me.  Same scans are showing clean, now.

kecsek

  • Guest
Re: Cycbot-KI - False positive? Scared about rebooting
« Reply #19 on: September 27, 2011, 04:21:57 AM »
I had the same problem a couple hours ago. I found three instances of 'Win32:Cycbot-KI [ trj ]. I decided to let avast do its thing and after restarting my computer I wasn't able to open most .exe applications and avast was disabled. It was a little frustrating but i found a fix for anyone else with the same problem. (On windows 7) Go to Start/Search and type CMD In the Search Results right click Command Prompt and choose Run as Administrator. In the Command Prompt type SFC /Scannow. Once it's finished corrupted files will be repaired and your .exe's will work once again. cheers.

Thank you very much! Computer is working again :)

endofthedream

  • Guest
Re: Cycbot-KI - False positive? Scared about rebooting
« Reply #20 on: September 27, 2011, 02:07:48 PM »
Essexboy noted: I must admit as soon as I saw the number of posts on this I did an immediate full scan on my system to check if it was a FP.  I received no hits on those files ... Win7 64 bit

This post is not exactly "new."  It was provoked by the three instances of the Win32:Cycbot-KI[trj] "warning" that appeared 3 days ago (I'm using Windows 7, 64 bit.).  Actually there were only two instances as the third flagged file was a duplicate of the first, apparently being a systems file that should never have been removed!).

When given a "Threat Alert" after or during an Avast! scan, how does one who is not particularly savvy with computers differentiate between a genuine virus (which needs attending to and should probably be removed, repaired, or moved to the virus chest) and a false positive which probably should be left alone?

I asked this question before at the end of my post but it probably got lost in all the verbiage.  Sorry.  :(

endofthedream
« Last Edit: September 27, 2011, 02:17:59 PM by endofthedream »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Cycbot-KI - False positive? Scared about rebooting
« Reply #21 on: September 27, 2011, 02:24:02 PM »
If it is a system file then first select repair, if that fails then I would recommend that you come to the forum and ask the question here 

Stian17

  • Guest
Re: Cycbot-KI - False positive? Scared about rebooting
« Reply #22 on: September 27, 2011, 06:52:28 PM »
I got the same problem, but with Windows XP... I am really stuck and have no clue on what to do because the way that works for windows 7 does not work for me.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes

endofthedream

  • Guest
Re: Cycbot-KI - False positive? Scared about rebooting
« Reply #24 on: September 29, 2011, 04:58:23 AM »
If it is a system file then first select repair, if that fails then I would recommend that you come to the forum and ask the question here 

Okay.

But - and please forgive my lack of knowledge - how can one tell whether or not the flagged file is a system file?  Is the presence of "Sys" in the file name sufficient evidence or is the ".dll" also necessary also (or some other component)?  Had I known the answer to this question, I would not have moved the false-positive file under discussion, c:\windows\syswow64\kernel32.dll>[emul], into the Chest.

Thanks for all your help!

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Cycbot-KI - False positive? Scared about rebooting
« Reply #25 on: September 29, 2011, 01:25:05 PM »
Essexboy is on holiday now as his last post indicates.

In certain locations the kernel32.dll is a system file, this is also an important system file. The problem being this file is a bit weird as it is a 32bit dll that is why it is nit the syswow64 folder so that 32bit applications can use it.

Quote
When executing 32-bit applications, WoW64 transparently redirects 32-bit DLLs to %SystemRoot%\SysWOW64, which contains 32-bit libraries and executables. ...

For some reason the emulation function in the scan considered this infected, I don't know what this reason is.

A bit of speculation on my part after information from another source - In this case if you had ignored the detection and rebooted, then the copy of the file in the syswow64 folder would have been recreated and may not be subsequently detected. So the detections on files in the syswow64 folder are a bit weird as they aren't actually the original file but a copy of it. So I don't know why the emulation element found it strange enough to flag it.

But I don't know what would happen with the other occurrences, which is why following that guide was advised by essexboy.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security