Windows 10: WD bogus notification: malware detected and cleaned

Hello.

I received a notification today from WD (at the notifications area) stating that "malware detected and is being cleaned". Funny enough I checked WD history and nothing was found there. I clicked on the notification and nothing was shown there either.

What gives? *Confused

I have been scanning several folders (browsers cache, appdata and so on, as well as a quick test) with WD but my system seems to be pretty clean. Could it be that Steam was opened when I got that notification?

:)

 

where are quarantined files kept?

"I turned off WD, compiled the file and will up load it then turn WD back on."

I uploaded the file and the Microsoft Malware Protection Center has verified that it is not malware: "The submitted file is Clean.

I hope this means that when I make another small change it won't get flagged as malware, time will tell.

Jim

 

WD Detects Trojan:Win32/Derbit.A But Cannot Remove Due to Error 0x80508023

Two days ago, my main AV program, Malwarebytes Premium, continuously reported its blocking of hundreds of outbound attempts to connect to a malicious website using the process msiexec.exe. However, Malwarebyte's scan of my PC reported no threats. That evening,
Windows Defender (WD) ran its daily scheduled scan and reported it detected and quarantined Trojan:Win32/Wammuras.C!cl. I chose to delete the virus in quarantine and then rebooted my PC.

This put an end to Malwarebytes notifications of attempts to connect to a malicious website. However, I then got a Windows notification that malware had been detected and Windows Defender (WD) was removing it. When I opened WD, and looked under "All Detected
Items", it listed a new detected item "Trojan:Win32/Derbit.A" with an action "Quarantined". However, below that was the message: "The following error occurred: Error code 0x80508023. The program could not find the malware and other potentially unwanted software
on this computer." I did look under "Quarantined Items" and nothing was there.

I now get the "Trojan:Win32/Derbit.A" detection everytime I start my computer followed by the 0x80508023 error code in WD. Running a subsequent full scan with WD always reports no threats detected. The same thing happens with any subsequent Malwarebytes
scans. As a further precaution, I downloaded a trial copy of Kaspersky Premium and ran its full scan. Again, no threats were detected. Most recently, I discovered the offline scan capability of WD and ran that. It made no difference.

I have not noted any unusual behavior with my PC since WD began reporting the Trojan Win32/Derbit.A. There has been no deterioration in gaming or browser performance and there has been no unwanted pop-ups or browser redirections. Am I potentially receiving
false positives or am I dealing with a very sophisticated malware that can elude the removal attempts by WD? Any suggestions for next steps would be appreciated.

 

Hi.
I don't think Steam would cause that.
I would run ADWCleaner just to be sure there's not something on the system that Defender is having trouble with. Please make sure all programs are closed as it will require a reboot if there is anything to "clean". If it does indeed find something, please post the log here for us to have a look. C:\AdwCleaner\AdwCleaner.txt

 

I already ran AdwCleaner. Nothing found.

Could it be that the notification system itself is wonky? Sometimes I get the "ding" sound from notification area but nothing is found there. I mean, sometimes Windows10 makes that sound without reason.

But then again, the message "malware found and being cleaned" was clearly there in this case.

 

Good!

I've had that happen a couple of times myself. Not sure what it was all about either - no notifications anywhere.

That is suspicious indeed. Have a look here and see if there's anything (this is supposed to be where Defender puts the quarantine):
Code: C:\ProgramData\Microsoft\Windows Defender\LocalCopy[/quote]

 

See if this sheds any light on the subject.

PowerShell (run as administrator)
Get-MpThreatDetection
Get-MpThreat
Use PowerShell to See What Windows Defender Detected | Hey, Scripting Guy! Blog

There were no results when I ran them on my machine.
And this details WD events

Troubleshoot Windows Defender in Windows 10 (Windows 10)

 

@Simrick

The folder C:\ProgramData\Microsoft\Windows Defender\LocalCopy is empty.

@Slartybart

OK. I got it. WD mistakenly flagged ZHPCleaner as a trojan.

It's a false positive. I think it's because most AV software tends to mistakenly flag all AutoIT software as trojan. It must be some heuristics issue.

Marking thread as solved now.

I really appreciate your help.

Best regards.

 

Sounds good. Glad you figured it out! *Smile

 

To sum it up, I must say that those Powershell commands pointed me in the right direction.