Jump to content

Recommended Posts

Hello,

I wasn't exactly sure where it was appropriate to post this, but I believe I have stumbled upon a false positive. Upon booting my PC, MBAM's daily scan informed me of a Trojan.Kovter in AppData\Local\Temp. In response to this, I ran a deeply thorough scan using MBAM, HitmanPRO, FRST, and FSS with no detections. I also went back and verified the processes running in Process Explorer, since I regularly check what's running on my machine anyway. Nothing about my computer use has been out of the ordinary for this to occur, so I have hypothesized two possible scenarios: A) A false positive B) WinRAR's license advertisements have delivered a successful payload. Scenario B sounds highly unlikely since this has been ongoing thing for some time and I have yet to notice anything outside the ordinary.

The following is enclosed with this post:

  • HitmanPRO: Default Scan log; free one-time scan.
  • FRST: The FRST.txt and Addition.txt
    • The following parameters have generated this log:
      • Whitelist:
        • Drivers
        • Internet
        • Processes
        • Registry
        • Services
      • Optional Scan:
        • Addition.txt
        • List BCD
        • 90 Days Files
  • FSS: FSS.txt
    • The following parameters have generated this log:
      • RpcSs and PlugPlay
      • Internet Services
      • Security Center/Action Center
      • System Restore
      • Windows Defender
      • Other Services
  • MBAM: The initial log which triggered the alert, the thorough scan conducted thereafter, and the latest real-time protection logs against the IP's displaying the advertisements (I have others from previous instances of when I used WinRAR, but as I mentioned, up until now it has been benign). For all of the above (MBAM) logs, I have included both the text and xml formats of said logs.

I was going to also upload the file in question to VirusTotal as an additional verification, but I decided against it due to the ambiguity of its threat status.

Logs.7z

Link to post
Share on other sites
  • Staff

Hard to say without the file. From the def and hit in the temp directory i dont think its a fp.

If you can either zip and upload the file here or give me a virustotal link i can check further.

 

Link to post
Share on other sites
14 minutes ago, shadowwar said:

Hard to say without the file. From the def and hit in the temp directory i dont think its a fp.

If you can either zip and upload the file here or give me a virustotal link i can check further.

 

The file is enclosed with this post.

 

 

Edited by shadowwar
Link to post
Share on other sites
1 minute ago, shadowwar said:

Not a fp. This is definately Kovter.

Nice to see we caught it :)

 

Appreciate it!

Any further recommendations to make sure this is gone for good and there are no remaining remnants?

Link to post
Share on other sites
  • Staff

I would recommend maybe having the computer checked in our malware removal forum just to be 100% sure. The frst log looked clean to me though.

 

 

Edited by shadowwar
Link to post
Share on other sites
1 minute ago, shadowwar said:

I dont think it got a chance to do anything cause it was stopped in the temp directory by the protection module. The frst log looked clean to me.

This most likely came from an exploit ad on some web page or related.

Would recommend installing and using Malwarebytes anti exploit. That would of stopped it from even downloading.

 

 

Funny you mention that, I've been using MBAE for some time now with all shields on by default. In fact, it's running right now. Does MBAE treat web pages generated by applications as a browser or would that require premium?

Link to post
Share on other sites
  • Staff

I realized that after looking at your log again.

 

Being there is no other evidence MBAE probably caught it at a later step and stopped its execution.

You can ask that question in the MBAE forum. I honestly dont know. I imagine premium can add a shield for that app.

 

Link to post
Share on other sites
7 minutes ago, shadowwar said:

I realized that after looking at your log again.

 

Being there is no other evidence MBAE probably caught it at a later step and stopped its execution.

You can ask that question in the MBAE forum. I honestly dont know. I imagine premium can add a shield for that app.

 

Thanks again for your help!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.