bluefire.exe

Discussion in 'NOD32 version 2 Forum' started by Kampfwurst, Jan 11, 2008.

Thread Status:
Not open for further replies.
  1. Kampfwurst

    Kampfwurst Registered Member

    Joined:
    Jan 11, 2008
    Posts:
    7
    Hello
    I have the problem that NOD32 V2.7 is not deleting bluefire.exe. When i scan the File i says that there is no VIRUS.

    When i use AVG it says that there is a Virus and it is cleaning it.
     
  2. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi,

    where is the file located?
     
  3. Kampfwurst

    Kampfwurst Registered Member

    Joined:
    Jan 11, 2008
    Posts:
    7
    its on every partition but is is hidden. Its activation when you click dubble on the drive. When you open it with the explorer than nothing happens.
    The main part is under C:/Windows also as a hidden file but it is called svhost.EXE. You also find it in the taskmanager. the EXE is in big letters writen

    Sample

    From other users:

    Bluefire.exe - how do I ger rid of this Help!
    It all started when somebody used their USB flash disk on my PC. I obviously scanned it first, and my NOD32 AntiVirus indicated there was no virus. But when I opened his flash, this error message appeared:
    "Bluefire.exe
    The application failed to initiate properly (0xc0000005). Click OK to terminate the application"
    It's been appearing ever since! And my PC is slowing down, Flash discs can't be stopped... HELP!
     
  4. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Yes, you have got malware on pc. I recommend you visit some forum, where you can send logs from miscellaneous utilities. Don't forget to send all infected files to samples[at]eset[dot]sk Into subject give the name of this thread.

    Thanks :thumb:
     
  5. Kampfwurst

    Kampfwurst Registered Member

    Joined:
    Jan 11, 2008
    Posts:
    7
    i was sending all the files to Eset. but nothing happens. It was 1 month before
     
  6. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Were files packed in archive with password "infected"? From which address did you send them? Then they can find them more early.

    Thanks :thumb:
     
  7. Kampfwurst

    Kampfwurst Registered Member

    Joined:
    Jan 11, 2008
    Posts:
    7
    can you send me the adress then i send the files again
     
  8. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Thanks ;)


    If you want to show them in your system, use Total Commander. Type this when you will in folder, where are located that files:

    attrib -S -H -R "name of file.extension"

    You can delete them, but I think that they are written on Registry. Run regedit and find issues with name "svchovst.exe".

    :thumb:
     
  9. Kampfwurst

    Kampfwurst Registered Member

    Joined:
    Jan 11, 2008
    Posts:
    7
    i know how to delete it but normaly NOD32 schould do it

    i will send you also another file to your adress.
     
  10. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    After update 2788 your samples are detected as INF/Autorun and Win32/Hupigon.NEH

    Thanks :thumb:
     
  11. Kampfwurst

    Kampfwurst Registered Member

    Joined:
    Jan 11, 2008
    Posts:
    7
    thank you

    Very good support

    If i have still a problem then i will send the file sample to you.

    Greetings Christoph
     
  12. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    No problems, thanks. :thumb:
     
  13. Kampfwurst

    Kampfwurst Registered Member

    Joined:
    Jan 11, 2008
    Posts:
    7
    i have now a new type of bluefire.exe

    i was sending it to samples[at]eset[dot]sk
     
  14. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi!

    After quarter of file are only zeros => I think file is damaged. Only at the beginning can be some threat. But when threat isn't complete, analysts can't add it.

    :thumb:
     
Thread Status:
Not open for further replies.