User 13 Posted March 13, 2017 Share Posted March 13, 2017 (edited) For about two weeks now Malwarebytes Free always finds Trojan.WMIHijacker.ClnShrt in Firefox recovery.js if I make an On-Demand-Scan: Quote -Softwaredaten- Version: 3.0.5.1299 Komponentenversion: 1.0.43 Version des Aktualisierungspakets: 1.0.1491 Lizenz: Kostenlos ........ Datei: 1 Trojan.WMIHijacker.ClnShrt, C:\USERS\...\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\5IVUESPR.DEFAULT\SESSIONSTORE-BACKUPS\RECOVERY.JS, Entfernung fehlgeschlagen, [2576], [358768],1.0.1491 A scan with ESET Smart Security 10.0.390.0 says the file is OK, a complete scan of the PC also finds no infections and on virustotal also no other AV finds a virus or trojan in recovery.js. Is this something to be concerned about? Or is this a false alarm from Malwarebytes? Edited March 13, 2017 by User Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted March 13, 2017 Administrators Share Posted March 13, 2017 I'd suggest compressing and submitting the MBAM's quarantine folder to samples[at]eset.com along with a link to this topic. Link to comment Share on other sites More sharing options...
User 13 Posted March 13, 2017 Author Share Posted March 13, 2017 (edited) OK, I submitted the compressed quarantine folder to samples[at]eset.com with subject "possible Trojan detected by Malwarebytes but not ESET Smart Security 10.0.390.0" Edited March 13, 2017 by User Link to comment Share on other sites More sharing options...
itman 1,743 Posted March 13, 2017 Share Posted March 13, 2017 I believe in the past, Malwarebytes detected this as a PUP: https://blog.malwarebytes.com/cybercrime/2016/10/explained-wmi-hijackers/ . Appears they have upgraded it to full malware status. You install anything recently? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted March 13, 2017 Administrators Share Posted March 13, 2017 Probably this was just a false positive as after restoring the file from quarantine it's no longer detected by MBAM. Also it's a file recovery.js where information about open tabs is stored so it's unlikely to be malicious. Link to comment Share on other sites More sharing options...
User 13 Posted March 13, 2017 Author Share Posted March 13, 2017 I found this website https://www.bleepingcomputer.com/news/security/yeabests-cc-a-fileless-infection-using-wmi-to-hijack-your-browser/ and run wbemtest.exe as admin and followed the instructions, but no instance of ActiveScriptEventConsumer "ASEC" is active. Also recovery.js is always the only file that according to Malwarebytes is infected. Link to comment Share on other sites More sharing options...
User 13 Posted March 14, 2017 Author Share Posted March 14, 2017 On 13.3.2017 at 6:23 PM, User said: I submitted the compressed quarantine folder to samples[at]eset.com with subject "possible Trojan detected by Malwarebytes but not ESET Smart Security 10.0.390.0" I havn't received an answer until now, so can I assume this is a false positive from Malwarebytes? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted March 15, 2017 Administrators Share Posted March 15, 2017 20 hours ago, User said: I havn't received an answer until now, so can I assume this is a false positive from Malwarebytes? I've already responded above. To me it looks like a false positive from MB. Link to comment Share on other sites More sharing options...
Recommended Posts