Windows Defender finds PUA:Win32/Keygen but can't remove it.

stephensc · 30 Jul 2020

I recently turned App and Browser control on and Windows Defender found PUA:Win32/Keygen affecting C:\Users\********\AppData\Local\Apple Inc\CloudKit\iCloudDrive\MMCS\tmpm-0x0000000000008289

But it cannot quarantine it or remove it.

The file location does not seem to exist when I search for it.

I have scanned with Malwarebytes, adwcleaner, HitmanPro, and Zemana after following advice online and none of them find PUA:Win32/Keygen.

Do you think it is a false positive?

Any advise on what further action I should take gratefully received.

Windows 10 Pro Version 2004 Build 19041.388

OldNavyGuy · 30 Jul 2020

This issue goes back to at least 2018.

AppData\Local\Apple Inc\CloudKit\iCloudDrive\MMCS\tmpm - Google Search

If you can find the file, upload it to VirusTotal and scan it there.

stephensc · 30 Jul 2020

OldNavyGuy said:

This issue goes back to at least 2018.

AppData\Local\Apple Inc\CloudKit\iCloudDrive\MMCS\tmpm - Google Search

If you can find the file, upload it to VirusTotal and scan it there.

That seems to be part of the issue. When I search the AppData location the file doesn't seem to exist. There is no tmpm file in the MMCS file.

essenbe · 30 Jul 2020

stephensc said:

That seems to be part of the issue. When I search the AppData location the file doesn't seem to exist. There is no tmpm file in the MMCS file.

Some system files are hidden for a reason. See if this works for you. Show Hidden Files, Folders, and Drives in Windows 10

stephensc · 31 Jul 2020

essenbe said:

Some system files are hidden for a reason. See if this works for you. Show Hidden Files, Folders, and Drives in Windows 10

Yes , that is what I mean.

I have show hidden files,folders and drives ticked. As well as Hide protected operating system files unticked for good measure but the iCloudDrive folder is empty.

snickie · 31 Jul 2020

stephensc said:

Yes , that is what I mean.

I have show hidden files,folders and drives ticked. As well as Hide protected operating system files unticked for good measure but the iCloudDrive folder is empty.

Hi!
Have you tried open a cmd prompt and do dir /a? Sometimes the old style directory listing reviles things the GUI doesn't see! I've seen that myself!

Regards, snickie

W10 Tweaker · 31 Jul 2020

snickie said:

Hi!
Have you tried open a cmd prompt and do dir /a? Sometimes the old style directory listing reviles things the GUI doesn't see! I've seen that myself!
Regards, snickie

That's always a worthwhile effort, good idea.

Hi stephensc. I've posted the particulars to assist just in case you're not fluent with dos. I'd suggest trying this with an Administrative Command Prompt.

C:\WINDOWS\system32>cd\
C:\>
C:\>cd users\********\appdata\local\Apple Inc\CloudKit\iCloudDrive\MMCS
C:\users\********\appdata\local\Apple Inc\CloudKit\iCloudDrive\MMCS>dir

If the sub-directory 'MMCS' contains more than 1 page of files, add a /p after dir.
dir /p will display 1 page at a time and prompt you to hit any key to display the next page.
Control C will terminate the command, if required.

stephensc · 31 Jul 2020

W10 Tweaker said:

That's always a worthwhile effort, good idea.

Hi stephensc. I've posted the particulars to assist just in case you're not fluent with dos. I'd suggest trying this with an Administrative Command Prompt.

C:\WINDOWS\system32>cd\
C:\>
C:\>cd users\********\appdata\local\Apple Inc\CloudKit\iCloudDrive\MMCS
C:\users\********\appdata\local\Apple Inc\CloudKit\iCloudDrive\MMCS>dir

If the sub-directory 'MMCS' contains more than 1 page of files, add a /p after dir.
dir /p will display 1 page at a time and prompt you to hit any key to display the next page.
Control C will terminate the command, if required.

Thank you W10 Tweaker and Snickie. I wouldn't have had a clue about which dos terms to use.

However cmd does not seem to be able to find \MMCS path.
I went up a level to \iCloudDrive dir

I attach a screenshot.
I'm not sure what it means.

Thank you

Windows Defender finds PUA:Win32/Keygen but can't remove it.-empty-iclouddrive-folder-cmd-prompt.png

W10 Tweaker · 31 Jul 2020

stephensc said:

Thank you W10 Tweaker and Snickie. I wouldn't have had a clue about which dos terms to use.
However cmd does not seem to be able to find \MMCS path.
I went up a level to \iCloudDrive dir
I attach a screenshot.
I'm not sure what it means.
Thank you

Good job stephensc.

I started writing out the directions to un-hide hidden folders and then had another thought. According to my internet searches this could be a nasty Trojan and you might be best to try removing it with another anti-virus before fiddling with the folder or associated files.

Try this;

Online Malware Detection | ESET

I believe you were able to navigate the folder immediately before \MMCS. Try using a manual scan with Windows Defender, select custom scan and navigate to the last folder before \MMCS.

https://www.tenforums.com/tutorials/84796-how-scan-windows-defender-antivirus-windows-10-a.html#option2

If you have any idea when this keygen software was downloaded and you have access to restore points or an OS image, that might be a more practical solution if anti-virus tools are unable to quarantine. Search *keygen.* using the windows explorer search box and verify folder or file creation dates. Then look for a restore point or image that predates the file or folder creation date.

I have to be away for several hours but will check-in when I get home. Be careful if you do find the missing folder or any other irregularities that might surface on this pc.

Matthew Wai · 01 Aug 2020

stephensc said:

C:\Users\********\AppData\Local\Apple Inc\CloudKit\iCloudDrive\MMCS\tmpm-0x0000000000008289

Boot into Linux and see whether it exists.
Download Linux: http://muug.ca/mirror/linuxmint/iso/...n-64bit-v2.iso
Use Rufus to create a bootable Linux device: Rufus - The Official Website (Download, New Releases)

It is so simple that even an idiot like me can do it with ease.