Avast WEBforum

Other => Viruses and worms => Topic started by: hemistud71 on May 11, 2018, 06:43:44 PM

Title: IDP.ALEXA.51
Post by: hemistud71 on May 11, 2018, 06:43:44 PM
IDP.ALEXA.51  fileless malware   infected file: powershell.exe  location:  C:\WINDOWS\SysWOW64\WindowsPowershell\v1.0

This is in my virus chest 8 times in the last month.  I never get any notifications of an infection or anything.  I just happened to look in the virus chest.

I have read a lot on this supposed trojanhorse on websites, including AVG and avast.  Is this a false positive? 
Title: Re: IDP.ALEXA.51
Post by: ApoC on May 14, 2018, 01:42:48 PM
Hello, I am not able to say if it is TP a FP detection based on the informations you supplied. Can you please upload the removal.log and detection2.log from C:\ProgramData\AVAST Software\Avast\log.

Also by the given detection name there must be always shown detection dialog waiting for user action unless You configure it in setting otherwise.

Thank You.
Title: Re: IDP.ALEXA.51
Post by: hemistud71 on May 16, 2018, 07:22:35 PM
removal.log attached.  There isn't a detection2.log or any detection log
Title: Re: IDP.ALEXA.51
Post by: hemistud71 on May 16, 2018, 07:27:33 PM
How about idpdection2.log?  It's attached. 
Title: Re: IDP.ALEXA.51
Post by: ApoC on May 17, 2018, 02:07:22 PM
Hello,

You are actually infected with fileless malware. It looks like You are on 18.3 version which is not able to completely remove persistence point of the malware and stopping only the malware execution. I suggest You to upgrade to 18.4 where we improved removing of malicious LNK files. If the problem persists please send me the output of this utility https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and I can guide you through the malware persistence removal.
Title: Re: IDP.ALEXA.51
Post by: hemistud71 on May 17, 2018, 04:19:26 PM
Ok it update to 18.4 this morning.  I am running a full scan now. 

I did download and run malwarebytes and it did detect and quarantine fileless malware in the registry.  Log file is attached.
Title: Re: IDP.ALEXA.51
Post by: hemistud71 on May 17, 2018, 05:47:11 PM
Probably because I ran malwarebytes first,  the Avast full scan was clean.  I ran the autoruns program, but I could not attach the data file as it is too large. 
Title: Re: IDP.ALEXA.51
Post by: hemistud71 on May 17, 2018, 06:33:22 PM
pdate:  Ran rkill and it didn't find any malware to stop.  Ran hitmanpro3.8 and it found only PUPS but no malware.  Just ran Emisoft Emergency kit and it found Trojan.Kovter and some pups. I quarantined them.   Log is attached. 
Title: Re: IDP.ALEXA.51
Post by: hemistud71 on May 21, 2018, 01:29:09 PM
I refreshed autoruns and compared to one from last week and C:/windows/system/notifier.exe is the only new autorun.  I read that it can be malware. 
Title: Re: IDP.ALEXA.51
Post by: hemistud71 on May 21, 2018, 07:56:48 PM
Laptop still acting up, but none of the antimalware are finding anything.  So I downloaded ZEMANA and it found trojan.kovter.  This time it was in
C:\useres\hemis\appdata\local\nbib\xbeqcep.lnk
Title: Re: IDP.ALEXA.51
Post by: ApoC on May 21, 2018, 08:39:09 PM
Hi,

is the detection still appearing in AVAST!? I can't help you with other products.

Best regards.
Title: Re: IDP.ALEXA.51
Post by: PDI on May 22, 2018, 10:21:01 AM
Hi hemistud71,

can you send us the new autoruns output, please?

Thanks,
PDI
Title: Re: IDP.ALEXA.51
Post by: hemistud71 on May 22, 2018, 01:41:31 PM
How do I convert arn file so I can post it here?   Can't post wrong file type and too large as well. 
Title: Re: IDP.ALEXA.51
Post by: Asyn on May 22, 2018, 01:48:17 PM
How do I convert arn file so I can post it here?   Can't post wrong file type and too large as well.
You can upload your file(s) here: ftp://ftp.avast.com/incoming/ (ftp://ftp.avast.com/incoming/)
Pick a unique name (and post it here), so the devs can find it. Thanks
Title: Re: IDP.ALEXA.51
Post by: hemistud71 on May 22, 2018, 02:12:08 PM
I found our how to export in cmd.  If that's not enough I can post file to link.
Title: Re: IDP.ALEXA.51
Post by: PDI on May 22, 2018, 09:36:45 PM
Hi hemistud71,

please share the arn file via ftp.

Thanks a lot,
PDI
Title: Re: IDP.ALEXA.51
Post by: hemistud71 on May 23, 2018, 03:15:40 PM
yesterday's autoruns  its hemistud71.zip  pwd: virus      autoruns from today:  hemistud71b.zip
Title: Re: IDP.ALEXA.51
Post by: PDI on May 28, 2018, 02:01:35 PM
Hi,

I checked the file and I don't see anything wrong now.

Regards,
PDI