IDP.ALEXA.51

IDP.ALEXA.51 fileless malware infected file: powershell.exe location: C:\WINDOWS\SysWOW64\WindowsPowershell\v1.0

This is in my virus chest 8 times in the last month. I never get any notifications of an infection or anything. I just happened to look in the virus chest.

I have read a lot on this supposed trojanhorse on websites, including AVG and avast. Is this a false positive?

Hello, I am not able to say if it is TP a FP detection based on the informations you supplied. Can you please upload the removal.log and detection2.log from C:\ProgramData\AVAST Software\Avast\log.

Also by the given detection name there must be always shown detection dialog waiting for user action unless You configure it in setting otherwise.

Thank You.

removal.log attached. There isn’t a detection2.log or any detection log

How about idpdection2.log? It’s attached.

Hello,

You are actually infected with fileless malware. It looks like You are on 18.3 version which is not able to completely remove persistence point of the malware and stopping only the malware execution. I suggest You to upgrade to 18.4 where we improved removing of malicious LNK files. If the problem persists please send me the output of this utility https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and I can guide you through the malware persistence removal.

Ok it update to 18.4 this morning. I am running a full scan now.

I did download and run malwarebytes and it did detect and quarantine fileless malware in the registry. Log file is attached.

Probably because I ran malwarebytes first, the Avast full scan was clean. I ran the autoruns program, but I could not attach the data file as it is too large.

pdate: Ran rkill and it didn’t find any malware to stop. Ran hitmanpro3.8 and it found only PUPS but no malware. Just ran Emisoft Emergency kit and it found Trojan.Kovter and some pups. I quarantined them. Log is attached.

I refreshed autoruns and compared to one from last week and C:/windows/system/notifier.exe is the only new autorun. I read that it can be malware.

Laptop still acting up, but none of the antimalware are finding anything. So I downloaded ZEMANA and it found trojan.kovter. This time it was in
C:\useres\hemis\appdata\local\nbib\xbeqcep.lnk

Hi,

is the detection still appearing in AVAST!? I can’t help you with other products.

Best regards.

Hi hemistud71,

can you send us the new autoruns output, please?

Thanks,
PDI

How do I convert arn file so I can post it here? Can’t post wrong file type and too large as well.

You can upload your file(s) here: ftp://ftp.avast.com/incoming/
Pick a unique name (and post it here), so the devs can find it. Thanks

I found our how to export in cmd. If that’s not enough I can post file to link.

Hi hemistud71,

please share the arn file via ftp.

Thanks a lot,
PDI

yesterday’s autoruns its hemistud71.zip pwd: virus autoruns from today: hemistud71b.zip

Hi,

I checked the file and I don’t see anything wrong now.

Regards,
PDI