Heur.AdvML.C. is it a false positive?

[Charlie7000]

Just to be clear, it was Norton Security that blocked Heur.AdvML.C.  Now two things happened just before that popped up.  Firstly I installed Malwarebytes and unsubscribed to the premium trial so it was for scan only.  I did that because I was about to insert a usb drive that had been in a laptop I had just bought - just in case the usb had got a virus from the laptop (belt and braces).  The laptop I used to do all this is a spare one I don't use, with nothing on it except a recent clean install of Windows 10.  First thing I thought was Norton thinks something in Malwarebytes is some kind of threat.  However it keeps coming up.  I am now wondering if the usb was infected and something is on the laptop.  On first putting the usb in the laptop I scanned it with Malwarebytes - nothing showed.  I then scanned it with Norton.  Nothing there.  Only after those scans of the usb did the pop up come from Norton with the message about Heur.AdvML.C. which it has classed as medium risk.

First instinct was it was a false positive since Malwarebytes had just been installed.  However the laptop I had used the usb in may well have viruses - I used the usb to wipe the drive clean but there is another drive on it (soldered to the mother board) that was the original boot drive and isn't showing in bios - I assumed it had died.  Also keyboard and mouse don't work on that laptop after bios (but work when in bios).  Anyway have just about decided to give up on fixing that one.  Main issue is - have I infected my spare laptop via the usb or is it a false positive?  Thanks.

[AdvancedSetup]

Hello @Charlie7000 and

Let's go ahead and run some scans and get some logs to see if we can find anything.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes 3 installed yet please download it from here and install it.
• Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan Now.
• When finished, please click Clean & Repair.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Edited November 1, 2018 by AdvancedSetup
Updated download links

[Charlie7000]

Thanks very much for responding Ron. Shortly after that, Norton found W32.Sillyfdc and removed it requiring a restart. Bit of a panic after googling what that was so shut down the WiFi, burned a new usb with parted magic (on my main laptop). And wiped the drive and met of the infected pc - then binned the usb stick.

Hope you can follow this - I have quite a few computers.

However - at the same time Norton found W32.Sillyfdc, I had another laptop turned on nearby and my iPhone nearby made a beep for no reason. That was when I turned off the WiFi and have been trying to methodically go through what needs to be done to prevent W32.Sillyfdc spreading via the network.

Have now wiped that second laptop and reset my iPhone to factory settings.

What next please? Would like to upgrade the router firmware but that means turning WiFi back on. Other devices that have been using the WiFi are - 2 other iPhones and a Nintendo Switch plus a couple of Linux laptops. I realise those gadgets can’t get windows viruses but think they could contain them via the network and pass them on when plugged into a pc via usb? Eg to do iPhone backups etc.

So advice on what to do next re the network and other devices would be appreciated. Meanwhile have installed Panda vaccine on my main pc and vaccinated all other usb sticks.

 

[Charlie7000]

Malwarebytes showed my main pc to be clear as did Norton.

[Charlie7000]

A question - this virus gets into ram - will wiping the drive be enough? Or will it come back via the ram please? 

[Charlie7000]

What I find amazing is that the usb stick got infected by an apparently dead drive on a pc I was fixing. It was a netbook with 2 drives  - the main boot drive didn’t show in bios or in parted magic. I was installing Linux on the second, working drive via usb stick. Gave up trying to install because keyboard and mouse weren’t working. Because keyboard worked at bios level I suspected a virus on the hidden/dead boot drive. And stupidly decided to test to see if the usb stick had picked up a virus by sticking into an unused laptop with no files on (had Norton on though). I had assumed that as the usb only contained a Linux iso it would not get viruses.

Not doing that again!

[AdvancedSetup]

This is not a virus. It's a worm and it does transfer via USB.

Since you've thrown the USB stick away (didn't need to you could just format it) and each system I would think you're okay now.

You can download and run the following Kaspersky antivirus and scan all your systems and any other external drives, or USB disks and see if it can find anything else.

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

[Charlie7000]

Thank you Ron. Doing that now. As the worm lives in the memory apparently and launched from there - do I need to change my ram stick? Or is it not possible for it to stay in the memory once the drive is erased? Thanks,

[AdvancedSetup]

No, memory is volatile and once the computer reboots anything in memory is lost forever.

 

[Charlie7000]

Thanks. Kaspersky didn’t find anything after reinstalling windows 10. I’ll see if all goes ok with it tonight.

[AdvancedSetup]

Okay, keep us posted, thanks

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks