Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.PasswordStealer or false positive?


  • This topic is locked This topic is locked
7 replies to this topic

#1 shralp

shralp

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 23 May 2017 - 11:02 AM

This is a work computer. I've competed scans with both Malwarebytes and Symantec Endpoint Protection and they come back clean (sometimes MB finds a PUP that it quarantines, but that's about it). 

 

But it's also quarantined what it lists as simply a "Trojan.PasswordStealer", and it's always at the same exact time of day. The location it lists is:

 

C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{DDB4634A-8728-48C2-A655-576A37FC8FFF}\cache

 

As I understand it Altiris is what our corporate IT uses to push out software updates, patches, etc. So is this likely a false positive or should I still be concerned? 

 

thanks



BC AdBot (Login to Remove)

 


#2 shralp

shralp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 24 May 2017 - 06:53 AM

bump...nothing? No one seen this behavior before?



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:02 PM

Posted 25 May 2017 - 10:25 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

It sure looks like a false positive.

I can chech further if you like.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs for my review.

#4 shralp

shralp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 25 May 2017 - 11:19 AM

Downloading that file immediately gets flagged by Symantec:

 

"There is strong evidence that this file is untrustworthy. This file has been seen by fewer than 5 Symantec users. Symantec has known about this file approximately 2 days."

 

I thought you guys were supposed to be preventing malware, not disseminating it?



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:02 PM

Posted 25 May 2017 - 01:24 PM

If you have downloaded the program for the site I gave you trust it.

You should find the download in the Quarantine folder.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:02 PM

Posted 31 May 2017 - 07:04 AM

Are you still with me?

#7 shralp

shralp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 31 May 2017 - 07:21 AM

Are you still with me?

 

Well given what we discussed in the scan I don't think there is anything to worry about and it's likely a false positive.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:02 PM

Posted 31 May 2017 - 11:52 AM

Sorry I had forgotten about out conversations.

Regards.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users