Jump to content

Recommended Posts

Hi all,

 

Name: Spyware.PasswordStealer.MSIL.Generic

Location: C:\Windows\Installer\80f46dc.msi

First of all, thanks in advance to anyone who helps. I know this is a password stealer, but I'm curious, is this a false positive or is it just malware - the odd thing is, I don't download anything unless it's from an official website. Questions are:

- Is this a false positive?

- If not, does this steal previous passwords (saved passwords/autofill etc) or does it only save newly entered passwords (since getting it)

- Could someone IP grab me in let's say a game, and then send me this?

Already quarantined and removed it so cannot do any logs (sorry).

 

Any information you can provide would be gratefully appreciated.

Link to post
Share on other sites

Hello Vyxno and welcome to Malwarebytes,

Continue with the following:

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Windows\Installer\80f46dc.msi
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.


Next,

If you do not have Malwarebytes installed do the following:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

Apologies, did not notice the file in question had been initially quarantined and secondary deleted from quarantine. MSI files are usually normal and are used in the process of installation.

The file you ask about (80f46dc.msi msi) is probably a database file that is normally used by Windows installer. The msi file will hold information relevant to an appliction, that information is devided into features and components. The components will be holding applicable files for registry data, usual application information and subsequent shortcuts used in the procedure.
The .msi file will also hold the user inferface relevant to the application to be installed, it will also have prerequisites for actions used in a specific order for the installation of the application in question.
So basically the .msi is a list of instructions used by the windows installer, without doubt such .msi files can also have malicious intent aswell as the normal legitimate intent what we expect...
As you`ve removed the .msi file we have no way checking out its intent....

The copy/paste list of scan instructions is what I always request when a system may have been exploited in anyway. If you prefer not to run those scans then I respect your decision...

Thank you,

Kevin...

Link to post
Share on other sites

4 hours ago, kevinf80 said:

Apologies, did not notice the file in question had been initially quarantined and secondary deleted from quarantine. MSI files are usually normal and are used in the process of installation.

The file you ask about (80f46dc.msi msi) is probably a database file that is normally used by Windows installer. The msi file will hold information relevant to an appliction, that information is devided into features and components. The components will be holding applicable files for registry data, usual application information and subsequent shortcuts used in the procedure.
The .msi file will also hold the user inferface relevant to the application to be installed, it will also have prerequisites for actions used in a specific order for the installation of the application in question.
So basically the .msi is a list of instructions used by the windows installer, without doubt such .msi files can also have malicious intent aswell as the normal legitimate intent what we expect...
As you`ve removed the .msi file we have no way checking out its intent....

The copy/paste list of scan instructions is what I always request when a system may have been exploited in anyway. If you prefer not to run those scans then I respect your decision...

Thank you,

Kevin...

Yeah, that's the weird thing. I haven't visited any websites outside the usual YouTube, Twitch, Amazon etc. I never click ads and don't even click hyperlinks from friends, so how it got past real-time protection but got detected in a live scan is bizarre. 

Link to post
Share on other sites

Had this happen to me. I followed KevinF80's steps and uploaded to virus total i forgot to get a link but it scanned clean through all of the engines. Although the name of Vyxno's .msi file was different from mine. Mine was named 396e66d3.msi so i dont know if this is false positive thing or something else.

Link to post
Share on other sites

13 minutes ago, Sklorton said:

Had this happen to me. I followed KevinF80's steps and uploaded to virus total i forgot to get a link but it scanned clean through all of the engines. Although the name of Vyxno's .msi file was different from mine. Mine was named 396e66d3.msi so i dont know if this is false positive thing or something else.

Thanks for the reply Sklorton - I do have more reason to believe it being a false positive as there's been no strange behaviour on my computer / none of my passwords have been changed etc (and I have nothing of value - social medias, media streaming sites etc) - posted on /r/Malwarebytes too and hopefully I get an employee to reply. Once again, thank you for your comment.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.