Author Topic: IDP.ALEXA.51  (Read 19514 times)

0 Members and 1 Guest are viewing this topic.

Offline hemistud71

  • Jr. Member
  • **
  • Posts: 26
IDP.ALEXA.51
« on: May 11, 2018, 06:43:44 PM »
IDP.ALEXA.51  fileless malware   infected file: powershell.exe  location:  C:\WINDOWS\SysWOW64\WindowsPowershell\v1.0

This is in my virus chest 8 times in the last month.  I never get any notifications of an infection or anything.  I just happened to look in the virus chest.

I have read a lot on this supposed trojanhorse on websites, including AVG and avast.  Is this a false positive? 

Offline ApoC

  • Avast team
  • Jr. Member
  • *
  • Posts: 29
Re: IDP.ALEXA.51
« Reply #1 on: May 14, 2018, 01:42:48 PM »
Hello, I am not able to say if it is TP a FP detection based on the informations you supplied. Can you please upload the removal.log and detection2.log from C:\ProgramData\AVAST Software\Avast\log.

Also by the given detection name there must be always shown detection dialog waiting for user action unless You configure it in setting otherwise.

Thank You.

Offline hemistud71

  • Jr. Member
  • **
  • Posts: 26
Re: IDP.ALEXA.51
« Reply #2 on: May 16, 2018, 07:22:35 PM »
removal.log attached.  There isn't a detection2.log or any detection log

Offline hemistud71

  • Jr. Member
  • **
  • Posts: 26
Re: IDP.ALEXA.51
« Reply #3 on: May 16, 2018, 07:27:33 PM »
How about idpdection2.log?  It's attached. 

Offline ApoC

  • Avast team
  • Jr. Member
  • *
  • Posts: 29
Re: IDP.ALEXA.51
« Reply #4 on: May 17, 2018, 02:07:22 PM »
Hello,

You are actually infected with fileless malware. It looks like You are on 18.3 version which is not able to completely remove persistence point of the malware and stopping only the malware execution. I suggest You to upgrade to 18.4 where we improved removing of malicious LNK files. If the problem persists please send me the output of this utility https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and I can guide you through the malware persistence removal.
« Last Edit: May 17, 2018, 02:22:46 PM by ApoC »

Offline hemistud71

  • Jr. Member
  • **
  • Posts: 26
Re: IDP.ALEXA.51
« Reply #5 on: May 17, 2018, 04:19:26 PM »
Ok it update to 18.4 this morning.  I am running a full scan now. 

I did download and run malwarebytes and it did detect and quarantine fileless malware in the registry.  Log file is attached.

Offline hemistud71

  • Jr. Member
  • **
  • Posts: 26
Re: IDP.ALEXA.51
« Reply #6 on: May 17, 2018, 05:47:11 PM »
Probably because I ran malwarebytes first,  the Avast full scan was clean.  I ran the autoruns program, but I could not attach the data file as it is too large. 

Offline hemistud71

  • Jr. Member
  • **
  • Posts: 26
Re: IDP.ALEXA.51
« Reply #7 on: May 17, 2018, 06:33:22 PM »
pdate:  Ran rkill and it didn't find any malware to stop.  Ran hitmanpro3.8 and it found only PUPS but no malware.  Just ran Emisoft Emergency kit and it found Trojan.Kovter and some pups. I quarantined them.   Log is attached. 

Offline hemistud71

  • Jr. Member
  • **
  • Posts: 26
Re: IDP.ALEXA.51
« Reply #8 on: May 21, 2018, 01:29:09 PM »
I refreshed autoruns and compared to one from last week and C:/windows/system/notifier.exe is the only new autorun.  I read that it can be malware. 

Offline hemistud71

  • Jr. Member
  • **
  • Posts: 26
Re: IDP.ALEXA.51
« Reply #9 on: May 21, 2018, 07:56:48 PM »
Laptop still acting up, but none of the antimalware are finding anything.  So I downloaded ZEMANA and it found trojan.kovter.  This time it was in
C:\useres\hemis\appdata\local\nbib\xbeqcep.lnk

Offline ApoC

  • Avast team
  • Jr. Member
  • *
  • Posts: 29
Re: IDP.ALEXA.51
« Reply #10 on: May 21, 2018, 08:39:09 PM »
Hi,

is the detection still appearing in AVAST!? I can't help you with other products.

Best regards.
« Last Edit: May 22, 2018, 09:35:50 AM by ApoC »

Offline PDI

  • Avast team
  • Full Member
  • *
  • Posts: 159
Re: IDP.ALEXA.51
« Reply #11 on: May 22, 2018, 10:21:01 AM »
Hi hemistud71,

can you send us the new autoruns output, please?

Thanks,
PDI

Offline hemistud71

  • Jr. Member
  • **
  • Posts: 26
Re: IDP.ALEXA.51
« Reply #12 on: May 22, 2018, 01:41:31 PM »
How do I convert arn file so I can post it here?   Can't post wrong file type and too large as well. 

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: IDP.ALEXA.51
« Reply #13 on: May 22, 2018, 01:48:17 PM »
How do I convert arn file so I can post it here?   Can't post wrong file type and too large as well.
You can upload your file(s) here: ftp://ftp.avast.com/incoming/
Pick a unique name (and post it here), so the devs can find it. Thanks
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline hemistud71

  • Jr. Member
  • **
  • Posts: 26
Re: IDP.ALEXA.51
« Reply #14 on: May 22, 2018, 02:12:08 PM »
I found our how to export in cmd.  If that's not enough I can post file to link.
« Last Edit: May 22, 2018, 02:18:18 PM by hemistud71 »