Jump to content

MBAR picking up files when Trend Micro open


Recommended Posts

Hi,

Have a machine that was infected with ransomware. I have used EaseUS secure erase to wipe out the whole drive and reinstall WIndows 10 pro on it, have even done a destory partitions, format, reinstall windows 10.


Whenever I run MBAR scan with Trend running I get these detections, even after a fresh install.

Done!
Infected: c:\users\defaultuser0\appdata\roaming\pidloc.txt --> [Trojan.Agent.Trace]
Infected: c:\google\googleupdate.a3x --> [Worm.Rowmanti]
Infected: c:\google --> [Worm.Rowmanti]
Infected: c:\skypee\googleupdate.a3x --> [Worm.Rowmanti.E]
Infected: c:\skypee --> [Worm.Rowmanti.E]
Infected: c:\users\defaultuser0\appdata\local\temp\updatea.vbs --> [Trojan.Agent.VBS]
Infected: c:\users\user\appdata\local\temp\updatea.vbs --> [Trojan.Agent.VBS]
Infected: c:\users\default\appdata\local\temp\updatea.vbs --> [Trojan.Agent.VBS]
Scan finished


If i close Trend Micro and run scan again, these detections don't occur.

I'm not sure if this is a false positive due to Trend, or there actually somehow is still remnants of this malware? Even though it can't be seen in Windows Safemode, with hidden files showing, not through explorer or the cmd prompt, system restore turned off. Tried other Antivirus scanners and no pickups. Looked up cleaning Worm.Rowmanti.E and no files or entries in registry.

I added a second hard drive and installed Windows 10 on it and get no detections if running MBAR scan with Trend open. It's only on this NVMe SSD disk that it happens.

I'm thinking of buying a new nvme drive to see if that matters, these detections don't occur until Scanning Registry and Directory Data happen in MBAR.

If this isn't a false positive, I'm thinking somehow the SSD is reporting to MBAR that these files once existed on the drive but would have thought a secure erase through EaseUS would of fixed that but it hasn't. The thing is I have Trend installed on other computers and when run MBAR it come back clean.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...