Jump to content
snowye

Windows 10 upgrade Trojan.MalPack.Generic?

Recommended Posts

Hi i ran a full scan tonight and found Trojan.MalPack.Generic in windows 10 upgrade hidden folder. Could it possibly be microsoft is packing trojans in windows 10 now?

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 14/01/2016
Scan Time: 9:41 PM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.01.14.03
Rootkit Database: v2016.01.09.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User:

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 599128
Time Elapsed: 1 hr, 51 min, 16 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.MalPack.Generic, C:\$Windows.~BT\Sources\SafeOS\SafeOS.Mount\Windows\System32\config\SOFTWARE{c7a35740-26e2-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms, Quarantined, [cdbe54e5c4d5b1853079114dfe0352ae],

Physical Sectors: 0
(No malicious items detected)


(end)

 

Share this post


Link to post
Share on other sites

Hello, 

 

If you can de-quarantine the file please & zip/past a copy of it so we can prevent this in the future?

 

Thanks!

Share this post


Link to post
Share on other sites

I was going to try get a copy of the file to attach, But it seems malwarebytes deleted the file rather than quarantine it. I cannot see it in quarantine and it is no longer in the folder. You can't copy edit or delete files in the folder.

Share this post


Link to post
Share on other sites

Interesting... has this folder been on your machine for a while & do you have system restore enabled?

 

No - no need to do system restore but looking to be able to recover the file using the "restore previous versions" function.... might be a copy of it in your shadow copies.

I am doing an update now that will fix this so please wait util I tell you its released, then we can look for the file.

Otherwise MBAM will keep nuking the file on you..

About 10 minutes wait...

Share this post


Link to post
Share on other sites

2016.01.14.05 is released. Likely a couple minutes before you get the update.

You might need to shut down & restart MBAM to apply the new defs.

Once you have the new defs, go to this folder:
C:\$Windows.~BT\Sources\SafeOS\SafeOS.Mount\Windows\System32
Right click "config" & select "restore previous versions"

New window opens with a list of previous versions of this folder.

Select yesterday's or the newest date listed & choose "open"

This opens a new (read only) copy of that folder.

Select "SOFTWARE{c7a35740-26e2-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" & copy the file out somewhere you can access it.

Please zip it & attach here.

If you cannot, please note the size of the file & let me know.

 

Thanks!

Share this post


Link to post
Share on other sites

There is no previous version sorry. I had also go to \\localhost\c$\ to even get the option for previous versions in windows file explorer.. There was no option to begin with to check for previous version, you might have to replicate the download for windows 10 update to grab the file for inspection, as i cannot restore the file.

Share this post


Link to post
Share on other sites

So i got the file out of my image i made with acronis true image in july last year, I am not sure if it will be the same version or not? i am not sure if the file would have been updated since. Hopefully it helps. Cheers. File.zip

Share this post


Link to post
Share on other sites

Hello,

 

Thanks so much for trying here :)

This one seems to be different than the one you had detected (as far as file name goes) but it is what I would expect to see from this type of file.

I couldn't reproduce the detection though.

Share this post


Link to post
Share on other sites

I noticed after i uploaded it, that is was different, i think its just a different version. I'm not totally sure how it would help even if you could reproduce it. I can't get a hold of the file though sorry, tried my best. It's interesting even if it was a false positive though, since a lot of people dont trust windows 10 because of its privacy issues, so i did want to try help n maybe malwarebytes team could have looked deeper into the file.

Share this post


Link to post
Share on other sites

It may have been Windows itself that deleted the file...

 

These files are dynamically created then deleted by Windows itself.

Because if this, each time you see these, they will be different.

 

Whenever there are any changes made to the Windows registry (Vista/Windows7) Windows created these regtrans-MS files, then after a bit, they are deleted by Windows itself.

It is an inbuilt protection against registry corruption.

The strange thing is they are not even executable files (like dll, exe, sys, etc file are) so this should never have even been detected unless it was really a dll or something faking itself as something else.

Share this post


Link to post
Share on other sites

Oh k yea interesting. I sort of know what you mean cus i messed around with remote access trojans ages ago in a virtual machine and you can put them in pictures n music files ect. It would always get detected through my antivirus and on virustotal.com. Iv also looked a little into how to take advantage of software exploits and by passing firewalls ect, but requires a lot more in depth research. It is good to know these things to protect your self against hacks.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.