Jump to content
Tigoji

Trojan detected on my official Windows10 USB Key

Recommended Posts

Hi. 

I have a problem to submit.

I tried to format my PC via my USB Key (official Windows10 USB Key) but it's impossible. To be sure, I started an antivirus analysis on it.

Malwarebytes detected a Trojan Trojan.Agent.UKED  D:\x64\SOURCES\WIN32UI.DLL

I wonder if it's a false positive and if this trojan can prevent me to format.

Meanwhile, I started an analysis on virustotal. On 67 antiviruses, 3 found something wrong :

Malwarebytes    Trojan.Agent.UKED    

TheHacker    W32/Behav-Heuristic-CorruptFile-EP

Trapmine    malicious.moderate.ml.score

Thanks in advance for your answers.

 

Share this post


Link to post
Share on other sites

Think I found the file on virustotal. 
We're looking into it.
First glance the file looks to be corrupt & I question its ability to be executed by Windows if you did successfully re-install the OS.

Share this post


Link to post
Share on other sites

Hello,

Thanks for helping me.

Here is the Link :

https://www.virustotal.com/#/file/0a018c106d75bf5ce66730bab32723f88824307e1c578157ceeb338761bfd001/detection

 

 

 

 

Share this post


Link to post
Share on other sites

Precision : I didn't manage to re-install Windows. Each time I tried, i got this message Windows failed to start a recent hardware or software change might be the cause windows 10" Satut : 0xc0000225 

Share this post


Link to post
Share on other sites

Indeed that was the same file I found in search. Thanks.

Think I found the file that is known clean/non corrupt for comparison.
Compare the "details" with this one:
https://www.virustotal.com/#/file/ab9047b9e8ed56e76609458da89ac641eb2a9fa90c8ea02c031e32ceaa378be9/details

Notice how VT can pull up version info, digital signature, Sections and all that.. your file from the link you posted it cannot.

How did this USB get created? I'm curious because the rule that is hitting on your file is a few years old & first time we are seeing it reported & I am interested in how that file got mangled.
Is there a site you can direct me to that you used to help with creating this USB ?

 

Thanks

Share this post


Link to post
Share on other sites

I bought this USB key about 2 years ago, in a real store called Materiel.net. It's also a website.

I format my PC a couple of times during the past 2 years and I never had any problem with this usb key before. Though, it's the first time I start an analysis on it, precisely because I can't format anymore.

Share this post


Link to post
Share on other sites

Thank you for the site info.
No, we don't believe the file to be a threat but we're still looking at it to determine why it looks like it is corrupted.
Is this the Windows 10 Home 32/64 bit USB key?

Share this post


Link to post
Share on other sites

What was the file referenced in the 0xc0000225 error message you keep getting?
Not sure I want to (or can) get into t-shooting session here but will throw a site at you I found looking up that error code which might steer you in the right direction.

https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/windows-failed-to-start-status-0xc0000225/4ea8f97e-10df-4bbb-ac0f-5402a6b164b4?auth=1

Some of the responses touch on UEFI mode. Might want to check BIOS to see if it is set up like that. According to the materiel.net site, the USB key does not support UEFI mode.

Share this post


Link to post
Share on other sites

Yes it's Windows 10 Home 32/64 bit USB key.

I haven't mentioned it, but each time I tried to put the file in quarantine it didn't work.

About the file referenced in the 0xc0000225 error message, i don't remember, i need to check that.

I have the possibilities of booting on UEFI : KDI-MSFTWINDOWS 10 PMAP and KDI-MSFTWINDOWS 10 PMAP. I tried both. None of them worked.

I'm pretty curious about the corrupted file. Let me know when you have more informations about it.

Thanks a lot for the link, and the time you take. 

 

 

 

Share this post


Link to post
Share on other sites

Hello,

Can you zip/attach a couple dll or exe files from this directory on the USB drive please?
D:\x64\SOURCES\
They have to be zipped or they will be rejected here. 
It is quite possible there is some sort of encryption/protection on the USB to prevent anything else from tampering with it (including removal of files which is what MBAM was trying to do because a rule matched making it act on the file as though it were infected)
Thank you

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.