Tr.TechSupportScam detected

[mark_a_l]

Not sure where to post this, but I just got this detection for the first time. I am using the portable version so I am not sure where the log file is kept.

In any case it said the folder C:/Users/XXXX/AppData/Local/WindowsUpdate detected TR.TechSupportScam (XXXX is my profile name). I could find no reference to this that named malware with Google, and the folder and the contents tempauthcab.cab are dated 2012 and has a Microsoft signature.  False positive?

[Curson]

Hi Mark,

Welcome to Adlice.com forum and thanks for your feedback.
If the file is signed, this is likely a false positive. Could you please attach RogueKiller JSON report with your next reply ?

To export a report, go to the "History" tab, then to the "Scan Reports" section.
There, do a double click on the report where this item has been detected, then click on the "Export json" button and save it on your desktop.

Regards.

[mark_a_l]

Here is the file. The other detections are "normal" and I always just ignore them.  I ran some other malware detection on that same folder and none hit on it. V 12.12.15.0 and prior did not hit on this folder.

[Curson]

Hi Mark,

Thanks.
Is your computer part of an enterprise network ? Could you please zip the whole WindowsUpdate folder and attach the produced archive with your next reply ?

Regards.

[mark_a_l]

No it is not. Just a regular Windows 7 install.  Attached is the a zipped file of the whole folder.

[Curson]

Hi Mark,

Thanks for your feedback. This is indeed a false positive.
We will whitelist this detection as soon as possible.

Regards.