Jump to content

VawTrak or False Positive

othertom2015

By othertom2015
in File Detections

 Share

Recommended Posts

  • 2 weeks later...
debra09

debra09

Posted
Posted

There are conflicting answers to the issue of whether Trojan Valtrak.ED is a false positive. June 23,2015 MBAM detected this trojan on my system and quarrantined 2 files.

One is  - shown in the attached screen shot -  and another which was under MBAM program data files which I restored as per instructions in another post that this trojan is a FP.  The file showing in the in screenshot will not restore from MBAM saying access is denied.

MBAM Pro removed this file from a Windows 7 slave drive in my computer that now will no longer boot. In other posts here and the day of the Vawtrak detection  we were told  Vawtrak is a FP.

 

Can I get a straight answer here as I am running Win 10 insider preview which has expired and wish to use the secondary win 7 hd to operate system as I have moved all data files there from the Win 10 hd.

Thank you for your help in advance. Attached is screenshot of the Vawtrak quarantined file with a check mark next to it --  a very long Windows file name.  Please advise.
 Thank you


 

 

Link to post
Share on other sites
debra09

debra09

Posted
Posted

Below is a copy of the scan log that originally detected the 2 quarantined files detected by MBAM as Vawtrak.Trojan.ED.  I apologize for forgetting to  post above.  Please note log state running Win 8 but actualy running Win 10 Insider Preview

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/23/2015
Scan Time: 4:07 PM
Logfile: vawtrak-detectionlog-06-23-2015.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.06.23.07
Rootkit Database: v2015.06.22.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8
CPU: x64
File System: NTFS
User: Tester

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 668837
Time Elapsed: 27 min, 16 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 3
Trojan.Vawtrak.ED, G:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\usp10.dll-k.mbam, Quarantined, [5ec5dae48efc290ddd09c2b4f70bec14],
Trojan.Vawtrak.ED, G:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\usp10.dll-u.mbam, Quarantined, [ba693f7f58326cca24c242342fd321df],
Trojan.Vawtrak.ED, G:\Windows\winsxs\Backup\amd64_microsoft-windows-usp_31bf3856ad364e35_6.1.7601.17514_none_0b207e7d6f1bea6f_usp10.dll_8785b649, Quarantined, [1e052797f199a1958e583e389e64d729],

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites
  • Staff
blender

blender

Posted
  • Staff
Posted

Hello,

 

I do not see an attached screenshot..

Is this screenshot from the recent detection or the one that was a f/p?

 

The dll file that you attached is VawTrak.

We have plenty of VawTrak detections - but back in June we had a detection that f/p & hit a Windows file.

 

The file "8afc49b02429a - Copy" - I have no clue what that is... is this a copy of the file from MBAM quarantine?

 

What is drive G:\ - the unbootable Windows7 Drive? (from the f/p back in June?)

Link to post
Share on other sites
debra09

debra09

Posted
Posted

Hi and thank you for answering!
The screen shot was just to show the file name  -- of no importance. 

 

Yes this is the log of the files that were quarantined on June 23, 2015.  I restored one of these files last night, ran  a scan and no issues.  There was only one of the below files in quarantine last night.

Trojan.Vawtrak.ED, G:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\usp10.dll-k.mbam, Quarantined, [5ec5dae48efc290ddd09c2b4f70bec14],
Trojan.Vawtrak.ED, G:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\usp10.dll-u.mbam, Quarantined, [ba693f7f58326cca24c242342fd321df],

 

** Still in quarantine is this file which is my concern  as it is a windows file and will not restore:

 

Trojan.Vawtrak.ED, G:\Windows\winsxs\Backup\amd64_microsoft-windows-usp_31bf3856ad364e35_6.1.7601.17514_none_0b207e7d6f1bea6f_usp10.dll_8785b649, Quarantined, 

[1e052797f199a1958e583e389e64d729],

 

Do not understand what you are referring to here - "The file "8afc49b02429a - Copy" - I have no clue what that is.."  - as I do not see this in the log file I sent you.
I am going to retest the Windows 7 drive for boot now.

Thank you


 

"What is drive G:\ - the unbootable Windows7 Drive? (from the f/p back in June?)"

Yes this is the Win 7 unbootable drive from the fp back in June

Link to post
Share on other sites
  • Staff
blender

blender

Posted
  • Staff
Posted

Hello,

 

This file:

Trojan.Vawtrak.ED, G:\Windows\winsxs\Backup\amd64_microsoft-windows-usp_31bf3856ad364e35_6.1.7601.17514_none_0b207e7d6f1bea6f_usp10.dll_8785b649, Quarantined, 

[1e052797f199a1958e583e389e64d729],

 

It is a backup copy of the file so is not critical for boot/OS operation.

The reason for access denied is because of the permissions set on the directories under winsxs. TrusedInstaller owns it & only TrustedInstaller has full permissions to it. (Trusted is even higher than Admin)

You can take ownership of that specific directory (grant to administrators) (not recommended to take ownership of the entire winsxs or backup dir), then grant administrators full permissions & the file should restore OK. If not - you may find a copy on your other Win7 machine you can get a copy of to put in place. Just make sure the version # matches. (well rather the file from exactly the same folder)

How to take ownership..(Please be careful with this!)

http://www.7tutorials.com/take-ownership-and-change-permissions-files-and-folders

If you do not feel comfy doing it - it's OK - that file is not critical anyway as it is a backup. Not the one the OS uses to boot with.

 

"Do not understand what you are referring to here - "The file "8afc49b02429a - Copy" - I have no clue what that is.."  - as I do not see this in the log file I sent you."

This file was not in the log you posted but was in the zip file you attached.

Link to post
Share on other sites
debra09

debra09

Posted
Posted

Hi

Thank you so very much for your help on this issue. I understand all that you have posted and so appreciate your time and expertise.

I am a computer reseller/tech and always install, recommend and use MBAM on new systems as well as repaired systems.  I am impressed by the help I have received from you and will continue to use MBAM on all systems I sell or work on!

 

Thanx again

 

D

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept