Navigation section

Question Malware found with Defender

N

nandobadam88

Member
Joined
Nov 29, 2024
Messages
113
I ran a full scan with Microsoft Defender on my PC and it found the file AppData\Roaming\secure\QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml).

But before using Defender, I had run a full scan with Malwarebytes Free and Kaspersky Free and found nothing. Why did it detect this now?

Is this type of malware the kind that modifies, deletes, or corrupts files on the PC?
 

Short answer first
  • Microsoft Defender often flags things other scanners didn’t because it uses different engines/heuristics and cloud/ML signals; that can be a true detection or a false positive.
  • Trojan:Win32/Wacatac.* is a generic/heuristic family name used by Defender (ML model hits). variants are usually trojan/downloaders/backdoors that can download additional payloads — those payloads (e.g. ransomware) are the things that can modify/delete/corrupt files. Treat a Wacatac detection as potentially serious until proven harmless.
Why Defender caught QtWebKit4.dll but Malwarebytes/Kaspersky didn’t
  1. Different detection methods: Defender includes signature, heuristics and cloud ML models (the “!ml” suffix); that can cause Defender to flag a file other engines miss.
  2. Timing / definition updates: Defender’s cloud rules may have been updated more recently (or use a different heuristic) than the other engines you ran.
  3. False positive risk: the Wacatac family has a history of heuristic/ML false positives against packed/unsigned or installer‑type binaries — especially when the file is in a nonstandard folder or looks like a runtime DLL. Community reports show developers and users seeing Defender-only Wacatac hits.
Is this malware likely to modify/delete/corrupt files?
  • The Wacatac detection name itself describes a trojan-type detection. These trojans primarily provide remote access or downloaders; the immediate file flagged may be a dropper or component. The dangerous behavior is that such trojans commonly download further malware (ransomware, stealers, backdoors) that can modify, encrypt or exfiltrate files. So: the flagged component might not itself delete files, but it can enable payloads that do. Treat it as potentially dangerous.
What to do now — quick, safe checklist (do these in order)
  1. Don’t restore the file from quarantine yet. If Defender quarantined it, leave it there.
  2. Get details and a hash
    • In Windows Explorer: right‑click the file (or the quarantined item in Defender) → Properties → Details / Digital Signatures tab.
    • Open PowerShell as admin and run:
      Get-FileHash "C:\Users\<you>\AppData\Roaming\secure\QtWebKit4.dll" -Algorithm SHA256
    • Copy the SHA‑256 and submit it to VirusTotal (or paste the hash into virustotal.com) — that shows detections across many engines. Submit the actual file to VirusTotal only if you’re comfortable (it will be shared).
  3. Run Defender Offline
    • Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline → Scan now. This boots and scans outside Windows and catches kernel/persistent components.
  4. Second‑opinion scans (in this order)
    • ESET Online Scanner (one‑off online scan) or Kaspersky Rescue / Bitdefender Rescue — these can find things others miss.
    • Microsoft Safety Scanner (msert) as a second on‑demand tool.
  5. Check persistence & running processes
    • Download Autoruns from Sysinternals, run as admin, search for suspicious items in AppData\Roaming\secure, unusual Run keys, scheduled tasks, services. Remove only if you understand the entry or after backing up.
  6. If VirusTotal / other scanners confirm malicious:
    • Change passwords for important accounts (from a clean device).
    • Back up critical files to external media (before attempting repairs).
    • Consider a full image backup and a clean reinstall if multiple indicators show compromise.
  7. If it looks like a false positive
    • Submit the file to Microsoft for analysis (Windows Defender Security Intelligence submission) and to VirusTotal as “benign” evidence; follow their guidance to whitelist or get the signature corrected. Don’t restore until vendors confirm it’s safe.
Why AppData\Roaming\secure\QtWebKit4.dll looks suspicious
  • Legit Qt/QtWebKit DLLs usually live in the program’s install folder, not a random AppData\Roaming\secure folder. Files in AppData\Roaming are commonly used by malware for persistence — that raises suspicion even if the DLL name looks legitimate. That’s a reason Defender might flag it. (Community threads show Defender-only finds often live in AppData paths.)
If you want exact commands / help, tell me:
  • The SHA‑256 hash you get from Get-FileHash (paste it here) — I’ll check common sources and tell you if it’s known bad.
  • Or: paste the Defender history entry (screenshot or exact text) and I’ll walk through the Defender Offline scan + a VirusTotal check step‑by‑step.
If you prefer, I can give a short script to collect hashes, list suspicious Run keys and scheduled tasks so you can paste the output here — then I’ll interpret it and recommend next steps.
 

I ran a full scan with Microsoft Defender on my PC and it found the unique file AppData\Roaming\secure\QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml).

But before using Defender, I had run a full scan with Malwarebytes Free and Kaspersky Free and found nothing. Why did it detect this now?

Is this type of malware the kind that modifies, deletes, or corrupts personal files on the PC Windows 10?

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

folder of file
 

Attachments

  • virus Microsoft Defender.webp
    virus Microsoft Defender.webp
    65.4 KB · Views: 0
Good, thanks — that screenshot and the VirusTotal link help. Short answers up front, then exact steps you can follow right now.
Short answers
  • Why Defender caught it but Malwarebytes/Kaspersky didn’t: Defender’s cloud + ML heuristics (the “!ml” suffix) can flag files other engines miss; timing and different detection methods also explain single‑vendor hits.
  • Is Wacatac likely to delete/corrupt files? The Wacatac family is a trojan/downloader/backdoor class — the detected file may be a dropper or component. By itself it often only provides persistence or a downloader; the real danger is that it can fetch and run secondary payloads (ransomware/stealers) that will modify/encrypt/delete files. Treat a Wacatac detection as potentially serious.
Why this particular file looks suspicious
  • Legit Qt/QtWebKit DLLs normally live in the program’s install folder (Program Files or the app folder). A Qt DLL placed in C:\Users\<you>\AppData\Roaming\secure is unusual and a common persistence spot for malware, which raises Defender’s risk score and triggers ML heuristics. That folder location is one reason Defender might single‑out the DLL.
What to do now — step‑by‑step (safe, ordered)
1) Don’t restore the quarantined item yet
  • If Defender already quarantined the file, leave it quarantined until you’ve checked. Restoring prematurely can re‑activate malicious code.
2) Get the file hash and basic metadata (one command)
  • Open PowerShell as Administrator and run:
    Get-FileHash "C:\Users\<your‑username>\AppData\Roaming\secure\QtWebKit4.dll" -Algorithm SHA256
  • Paste the SHA256 here (or paste the VirusTotal detection summary). I can interpret the VT result for you. (Your VirusTotal link already includes the hash 935cd907..., which is the SHA identifier you can paste back here.)
3) Run Microsoft Defender Offline (boots outside Windows)
  • Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline → Scan now. This is a high‑value next step because offline scans catch drivers / persistent components. (If Defender finds/removes more items, do NOT restore; note what was removed.)
4) Do a quick second‑opinion (on‑demand tools)
  • Run Microsoft Safety Scanner (msert): download and run as admin.
  • Run ESET Online Scanner or the free Windows Defender Offline / Kaspersky Rescue ISO if you can boot from USB. These catch things some in‑OS scanners miss. The Windows Malicious Software Removal Tool (MSRT) can also help; it’s useful as an extra pass.
5) Check persistence items (Autoruns + running processes)
  • Download Autoruns from Sysinternals, run as admin, search for entries pointing to AppData\Roaming\secure or the QtWebKit4.dll filename and note any Run keys / Scheduled Tasks / Services referencing it. Don’t delete until you’ve captured hashes / screenshots — post them here if you want help interpreting.
  • Also check running processes in Task Manager and use “Details” to see file paths.
6) Interpret the VirusTotal result you posted
  • If many engines (≥5–10) detect the file as malicious, treat it as confirmed malicious and follow the “confirmed” remediation below. If only Defender shows it, it can be a false positive — but because the file is in AppData, continue cautious steps above and submit the sample to vendors for analysis (Microsoft has a submission portal). I can help interpret the VT report if you paste the detection count or a screenshot.
7) If confirmed malicious (or multiple engines flag it)
  • Back up critical personal files immediately to external offline media (before trying repairs).
  • Change important passwords from a clean device (banking, email, MFA apps).
  • Consider a full image backup and OS reinstall if you find multiple compromise indicators or unusual persistence. For single‑file infections that are fully removed by offline scans, a clean reinstall is still the safest option if you can’t be sure all persistence was removed.
8) If it looks like a false positive
  • Don’t restore automatically. Submit the sample to Microsoft for re‑analysis (they have a “submit a sample” process). Wait for vendor feedback before restoring or whitelisting. Many benign installers/sideloaded DLLs shipped into AppData can be heuristic hits.
What I need from you to help right now
  • Paste the SHA256 you got from Get-FileHash (or confirm the hash in your VirusTotal link is the same: 935cd9070679168cfcea6aea40d68294ae5f44c551cee971e69dc32f0d7ce14b).
  • Paste the VirusTotal detection summary (e.g., “5/76 engines detect”) or a screenshot of the VT detection list.
  • Tell me whether Defender already quarantined the file (yes/no) and whether you ran Defender Offline yet.
If you want, I can also supply short commands to:
  • List scheduled tasks that reference AppData\Roaming\secure,
  • Export Autoruns output to a text file you can paste here,
  • Run MSERT from a command line and capture its log.
One more note about risk: because trojans in the Wacatac family are often used as downloaders/backdoors, the flagged DLL could be the initial stage. Even if it hasn’t yet encrypted files, it may have network or persistence capability that lets an attacker drop destructive payloads later — that’s why I recommend the offline scan + backups and checking Autoruns/startup.
Tell me the SHA‑256 / VT detection count and whether Defender quarantined the file — I’ll interpret the VT engines and give the next precise cleanup steps (Autoruns commands, MSERT usage, or when to wipe and reinstall).
 

You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
AI-Generated Malware Threats: The Future of Cybersecurity with Windows and Microsoft Defender
Replies
0
Views
352
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
RESURGE Malware and CVE-2025-0282: Critical Threats and Defender Strategies
Replies
0
Views
160
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Why Windows Defender Flags Linux ISOs: False Positives & Verification
Replies
0
Views
164
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
On-Demand Virus Scanners: The Essential Rescue Toolkit for Malware Cleanup
Replies
0
Views
100
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Lenovo Windows Antivirus Roundup 2025: Free Defender to Premium Suites
Replies
0
Views
189
ChatGPT
ChatGPT
Back
Top