Jump to content

Windows 10 upgrade Trojan.MalPack.Generic?


Recommended Posts

Hi i ran a full scan tonight and found Trojan.MalPack.Generic in windows 10 upgrade hidden folder. Could it possibly be microsoft is packing trojans in windows 10 now?


Malwarebytes Anti-Malware

Scan Date: 14/01/2016
Scan Time: 9:41 PM
Administrator: Yes

Malware Database: v2016.01.14.03
Rootkit Database: v2016.01.09.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 599128
Time Elapsed: 1 hr, 51 min, 16 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.MalPack.Generic, C:\$Windows.~BT\Sources\SafeOS\SafeOS.Mount\Windows\System32\config\SOFTWARE{c7a35740-26e2-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, Quarantined, [cdbe54e5c4d5b1853079114dfe0352ae],

Physical Sectors: 0
(No malicious items detected)



Link to post
Share on other sites

  • Staff

Interesting... has this folder been on your machine for a while & do you have system restore enabled?


No - no need to do system restore but looking to be able to recover the file using the "restore previous versions" function.... might be a copy of it in your shadow copies.

I am doing an update now that will fix this so please wait util I tell you its released, then we can look for the file.

Otherwise MBAM will keep nuking the file on you..

About 10 minutes wait...

Link to post
Share on other sites

  • Staff

2016.01.14.05 is released. Likely a couple minutes before you get the update.

You might need to shut down & restart MBAM to apply the new defs.

Once you have the new defs, go to this folder:
Right click "config" & select "restore previous versions"

New window opens with a list of previous versions of this folder.

Select yesterday's or the newest date listed & choose "open"

This opens a new (read only) copy of that folder.

Select "SOFTWARE{c7a35740-26e2-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" & copy the file out somewhere you can access it.

Please zip it & attach here.

If you cannot, please note the size of the file & let me know.



Link to post
Share on other sites

There is no previous version sorry. I had also go to \\localhost\c$\ to even get the option for previous versions in windows file explorer.. There was no option to begin with to check for previous version, you might have to replicate the download for windows 10 update to grab the file for inspection, as i cannot restore the file.

Link to post
Share on other sites

I noticed after i uploaded it, that is was different, i think its just a different version. I'm not totally sure how it would help even if you could reproduce it. I can't get a hold of the file though sorry, tried my best. It's interesting even if it was a false positive though, since a lot of people dont trust windows 10 because of its privacy issues, so i did want to try help n maybe malwarebytes team could have looked deeper into the file.

Link to post
Share on other sites

  • Staff

It may have been Windows itself that deleted the file...


These files are dynamically created then deleted by Windows itself.

Because if this, each time you see these, they will be different.


Whenever there are any changes made to the Windows registry (Vista/Windows7) Windows created these regtrans-MS files, then after a bit, they are deleted by Windows itself.

It is an inbuilt protection against registry corruption.

The strange thing is they are not even executable files (like dll, exe, sys, etc file are) so this should never have even been detected unless it was really a dll or something faking itself as something else.

Link to post
Share on other sites

Oh k yea interesting. I sort of know what you mean cus i messed around with remote access trojans ages ago in a virtual machine and you can put them in pictures n music files ect. It would always get detected through my antivirus and on virustotal.com. Iv also looked a little into how to take advantage of software exploits and by passing firewalls ect, but requires a lot more in depth research. It is good to know these things to protect your self against hacks.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.