Jump to content

Recommended Posts

Hi,

Have a machine that was infected with ransomware. I have used EaseUS secure erase to wipe out the whole drive and reinstall WIndows 10 pro on it, have even done a destory partitions, format, reinstall windows 10.


Whenever I run MBAR scan with Trend running I get these detections, even after a fresh install.

Done!
Infected: c:\users\defaultuser0\appdata\roaming\pidloc.txt --> [Trojan.Agent.Trace]
Infected: c:\google\googleupdate.a3x --> [Worm.Rowmanti]
Infected: c:\google --> [Worm.Rowmanti]
Infected: c:\skypee\googleupdate.a3x --> [Worm.Rowmanti.E]
Infected: c:\skypee --> [Worm.Rowmanti.E]
Infected: c:\users\defaultuser0\appdata\local\temp\updatea.vbs --> [Trojan.Agent.VBS]
Infected: c:\users\user\appdata\local\temp\updatea.vbs --> [Trojan.Agent.VBS]
Infected: c:\users\default\appdata\local\temp\updatea.vbs --> [Trojan.Agent.VBS]
Scan finished


If i close Trend Micro and run scan again, these detections don't occur.

I'm not sure if this is a false positive due to Trend, or there actually somehow is still remnants of this malware? Even though it can't be seen in Windows Safemode, with hidden files showing, not through explorer or the cmd prompt, system restore turned off. Tried other Antivirus scanners and no pickups. Looked up cleaning Worm.Rowmanti.E and no files or entries in registry.

I added a second hard drive and installed Windows 10 on it and get no detections if running MBAR scan with Trend open. It's only on this NVMe SSD disk that it happens.

I'm thinking of buying a new nvme drive to see if that matters, these detections don't occur until Scanning Registry and Directory Data happen in MBAR.

If this isn't a false positive, I'm thinking somehow the SSD is reporting to MBAR that these files once existed on the drive but would have thought a secure erase through EaseUS would of fixed that but it hasn't. The thing is I have Trend installed on other computers and when run MBAR it come back clean.

Link to post
Share on other sites

Hello @npiotrowski and :welcome:

You have started this topic in the Malwarebytes Anti-Exploit (MBAE) Beta sub-forum.

Did you mean to post in the Malwarebytes Anti-Rootkit (MBAR) BETA Support sub-forum or the Malwarebytes Anti-Ransomware (MBARW) Beta sub-forum?

Thank you.

Edited by 1PW
Link to post
Share on other sites

Greetings,

It appears these may be false positives from Malwarebytes Anti-Rootkit Beta which are being caused by Trend Micro as you suspect.  Please try temporarily disabling or removing Trend to see if that makes any difference and let us know. Apologies, I just saw where you already mentioned that disabling Trend did indeed eliminate the detections.

Thanks

Edited by exile360
Link to post
Share on other sites

  • 4 weeks later...

Hello, we use Malwarebytes and Trend Micro at my company and we have the same issue!

I do think this is a false positive, but are we sure this is a false positive? I do think it is, but is there a way to confirm 100%?

9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Worm.Rowmanti   < No action taken >     c:\google
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Worm.Rowmanti.E < No action taken >     c:\skypee
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Trojan.Agent.Trace      < No action taken >     c:\users\admin\appdata\roaming\pidloc.txt
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Worm.Rowmanti   < No action taken >     c:\google\googleupdate.a3x
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Worm.Rowmanti.E < No action taken >     c:\skypee\googleupdate.a3x
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Trojan.Agent.VBS        < No action taken >     c:\users\admin\appdata\local\temp\updatea.vbs
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Trojan.Agent.VBS        < No action taken >     c:\users\default\appdata\local\temp\updatea.vbs
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Trojan.Agent.VBS        < No action taken >     c:\users\usera\appdata\local\temp\updatea.vbs
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Trojan.Agent.VBS        < No action taken >     c:\users\userb\appdata\local\temp\updatea.vbs
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Trojan.Agent.VBS        < No action taken >     c:\users\userc\appdata\local\temp\updatea.vbs
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Trojan.Agent.VBS        < No action taken >     c:\users\userd\appdata\local\temp\updatea.vbs
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Trojan.Agent.VBS        < No action taken >     c:\users\usere\appdata\local\temp\updatea.vbs
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Trojan.Agent.VBS        < No action taken >     c:\users\userf\appdata\local\temp\updatea.vbs
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Trojan.Agent.VBS        < No action taken >     c:\users\userg\appdata\local\temp\updatea.vbs
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Trojan.Agent.VBS        < No action taken >     c:\users\userh\appdata\local\temp\updatea.vbs
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Trojan.Agent.VBS        < No action taken >     c:\users\useri\appdata\local\temp\updatea.vbs
9/25/2020 12:05:29 PM   COMPUTERNAME       192.168.202.120 Trojan.Agent.VBS        < No action taken >     c:\windows\temp\updatea.vbs

We cannot find these files. We've scanned the system with about six different anti-virus, anti-rootkit, and anti-malware products and none of them detect anything. The only thing I can think of it both Trend and MBAM kick off a scan at the same time and this happens.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.