Virus detection: Trojan:Win32/Bluteal.B!rfn

fc2000fc2000
in Windows VPN Setup
Microsoft Security Essentials is detecting  Trojan:Win32/Bluteal.B!rfn each time PIA is launched, in this file:

C:\Users\[Username]\AppData\Local\Temp\ocrB3C6.tmp\lib\ruby\gems\2.4.0\gems\ocra-1.3.12pia\share\ocra\edicon.exe

I've been using the new desktop client since it was released last month without incident. I reinstalled the client to the same effect.


«1

Comments

  • bdanny97bdanny97
    I am also getting the same thing. I would love a reply from PIA about this.  Virustotal is saying 5/67 which isn't too bad.
  • borgy3377borgy3377
    Same error as fc2000. Fresh install of Windows 10 1803.
  • e3908e3908
    Same error here, completed update to Win 10 1803 yesterday and now have this. Two affected items with 'TrojanWin32/Bluteal.B!rfn':

    file: C:\Users\[Username]\AppData\Local\Temp\ocr3A3D.tmp\lib\ruby\gems\2.4.0\gems\ocra-1.3.12pia\share\ocra\edicon.exe
    file: C:\Users\[Username]\AppData\Local\Temp\ocr43A3.tmp\lib\ruby\gems\2.4.0\gems\ocra-1.3.12pia\share\ocra\edicon.exe
  • josipkjosipk
    edited June 2018
    Same here.
    I did a clean install of windows 10 and, seeing windows defender detecting "trojan:win32/bluteal.B!rfn" for file edicon.exe.
    I downloaded pia-v80-installer-win.exe from teh website.
    PIA folks, can you guys please comment on this?
    Jos
  • mission156mission156
    False Positive
  • p6206204p6206204
    hope this helps anyone on here...
    https://www.virustotal.com/#/file/6d1126241a104d452c468f668fc356c0a2302c3e5d43ad71204817f861348312/detection
  • PIAJaysonPIAJayson
    Thanks for the reports. I have escalated this to our Desktop development team for resolution and comment.
  • piauser58934753piauser58934753
    Also had this happen to me. Same exact thing as es3908's post.
  • Peter03102Peter03102
    edited June 2018
    Also for me. But I uninstalled the PIA app and installed the openvpn application. Works fine.
    if you want go the the PIA website. 
    Click on support tab up top.
    click on Guides.
    Then click on windows openvpnon setup on the left side.
    the directions are pretty simple.
  • peejpeej
    edited June 2018
    Ditto - what's the deal?!?

    PIA is now uninstalled... account cancellation is going to be coming soon if we don't get news of this being a false positive...
  • jrdv1jrdv1
    SAme Deal here and i Have reverted to an earlier version of PIA. Please check this out and let us know as soon as you can.

    thanks

  • jrdv1jrdv1
    Itis likely  a false positive- I Say that because it now comes up on both  earlier versions of PIA that i just tried using.
    VirusTotal does not see anything wrong with the pia files themselves.
  • cooldude22cooldude22
    Add me to this list, my MS Defender just notified me about this. What is going on ?
  • mission156mission156
    If you look at the virus total scan all of the big AV companies say its clean it's just a false positive from Windows Defender.

  • p9830481p9830481
    Are you opening tickets or to this existing report? https://www.privateinternetaccess.com/helpdesk/feedback/view/windows-defender-found-trojan-win32-bluteal-b-rfn
  • p413p413
    I'm having the same problem and I'm very concerned. 
  • sxg6sxg6
    edited June 2018
    I don't use a vpn or pia, a google search led me to this thread. I also had this trojan detected on my pc today. It says the trojan came from the Logitech setpoint software that I downloaded off my google drive account, and google drive scans the file before downloading it to my pc, and google didn't flag the file as having a trojan. That makes me think something is causing a false positive as mentioned earlier, but I don't know enough about this stuff to say how or why it's happening.
  • acoaco
    Bump - Are there PIA alternatives? I can't have a compromised VPN. 

    file: C:\Users\user\AppData\Local\Temp\ocr22B3.tmp\lib\ruby\gems\2.4.0\gems\ocra-1.3.12pia\share\ocra\edicon.exe

    Trojan:Win32/Bluteal.B!rfn

    Severe |Detected with Windows Defender Antivirus



  • Action123Action123
    False positive here as well. All other scans say it's clean. I've restored the files, but can PIA send a note over to the Windows team and ask to clear the issue? It's a minor inconvenience for myself, but my phone is blowing up with clients using PIA freaking out about their machines. Would love a resolution just to make my job a little easier I guess?
  • MVWMVW
    edited June 2018
    peej said:
    Ditto - what's the deal?!?

    PIA is now uninstalled... account cancellation is going to be coming soon if we don't get news of this being a false positive...
    Oh shush. It's most likely a mistake / false positive, we don't even know by who - it could have been a problem by Mircosoft since they are the only ones marking it is a virus. PIA has a fantastic service for a fantastic price. Stop acting like an angry house mum demanding to talk to a manager and making useless threats for money back. It's a small mistake that doesn't affect anyone in the slightest.

    Patience. I'm sure they're working on it. You're the victim of one small notification when your PC starts up in the bottom right hand corner that disappears by itself after two seconds. It's not the end of the world.
  • roddleberriesroddleberries
    Really wish PIA would address this and soon.  This wrecked my afternoon for productivity.  I started cleaning my machine and researching where the malware originated and fortunately found this page only after wasting time and losing productivity (which equals lost money).

    I don't care who's fault it is, I just want it addressed ASAP.
  • magnezemagneze
    Same problem here, would really like a response on this.
  • rcan33rcan33
    I'm also very surprised that PIA is not treating this with a sense of urgency.  I agree it's most likely a false positive, but come on PIA, get grinding will ya.
  • pJesterpJester
    edited June 2018
    Weird thing is: in the folder of the virus/false-positive (edicon.exe) there is a stub.exe and two other .exe
    Who's in the scene knows what stub's are good for.. really suspicious

  • mission156mission156
    pJester said:
    Weird thing is: in the folder of the virus/false-positive (edicon.exe) there is a stub.exe and two other .exe
    Who's in the scene knows what stub's are good for.. really suspicious
    A stub is used to encrypt the executable files which can be used to crypt malware ;) Maybe the files being encrypted is causing the false positive who knows. I have sent the files up to Kaspersky anyway to have a look at them.
  • peejpeej
    MVW said:
    peej said:
    Ditto - what's the deal?!?

    PIA is now uninstalled... account cancellation is going to be coming soon if we don't get news of this being a false positive...
    Oh shush. It's most likely a mistake / false positive, we don't even know by who - it could have been a problem by Mircosoft since they are the only ones marking it is a virus. PIA has a fantastic service for a fantastic price. Stop acting like an angry house mum demanding to talk to a manager and making useless threats for money back. It's a small mistake that doesn't affect anyone in the slightest.

    Patience. I'm sure they're working on it. You're the victim of one small notification when your PC starts up in the bottom right hand corner that disappears by itself after two seconds. It's not the end of the world.

    You're kidding me right? 

     "It's a small mistake that doesn't affect anyone in the slightest." <-- Yes if it's a false positive. Hopefully that's what it is. The onus is on PIA to get that kind of *reassuring* info out as quickly as possible. 
  • p2256621p2256621
    I had the same thing this morning. This afternoon I got three consecutive blue screens of death while trying to start windows on my laptop. I managed to successfuly boot windows and log in after breaking the loop of automatic repair and reboots and restarting manually. I'm not sure it's related, but it's a scary coincidence at best. I thought I might as well let people know.

    After that I turned my laptop on and off several times again, ran several scans with Malwarebytes and Windows Defender, and everything looks ok so far. PIA doesn't raise any more alerts from Defender. Weird. I deleted the threat in Defender too and pia still runs fine.

    I don't have the latest version by the way. I have v79.
  • fz44fz44
    Same alerts for me since today.
    Not "the end of the world" but we could expect a clear message from PIA team about what to do with this exe.

    Thanks
  • elgrelgr
    fz44 said:
    Same alerts for me since today.
    Not "the end of the world" but we could expect a clear message from PIA team about what to do with this exe.

    Thanks
    Did you get the update that was released in the last day? It does specify that it fixes a "false positive" (which, of course, is what anyone claims when they're caught distributing either a real trojan *or* a false positive). 

    Defender quarantined the alleged trojan for me yesterday, but PIA ran fine without whatever it was (also suspicious). It didn't seem to get reintroduced by the update today.
  • doc_hazdoc_haz
    I hope it's really fixed. Everytime i ran the PC, Windows Defender was always showing the "False Positive" as a Trojan with the Severe Threat Classification.There should be a an Official Statement from the PIA Team and explain it. There's no harm in that. I believe the customers deserve some respect and honesty, in these troubled times that we live, nowadays.

Sign In or Register to comment.