Navigation section

Question Malware found with Defender

N

nandobadam88

Member
Joined
Nov 29, 2024
Messages
120
I ran a full scan with Microsoft Defender on my PC and it found the file AppData\Roaming\secure\QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml).

But before using Defender, I had run a full scan with Malwarebytes Free and Kaspersky Free and found nothing. Why did it detect this now?

Is this type of malware the kind that modifies, deletes, or corrupts files on the PC?
 

Short answer first
  • Microsoft Defender often flags things other scanners didn’t because it uses different engines/heuristics and cloud/ML signals; that can be a true detection or a false positive.
  • Trojan:Win32/Wacatac.* is a generic/heuristic family name used by Defender (ML model hits). variants are usually trojan/downloaders/backdoors that can download additional payloads — those payloads (e.g. ransomware) are the things that can modify/delete/corrupt files. Treat a Wacatac detection as potentially serious until proven harmless.
Why Defender caught QtWebKit4.dll but Malwarebytes/Kaspersky didn’t
  1. Different detection methods: Defender includes signature, heuristics and cloud ML models (the “!ml” suffix); that can cause Defender to flag a file other engines miss.
  2. Timing / definition updates: Defender’s cloud rules may have been updated more recently (or use a different heuristic) than the other engines you ran.
  3. False positive risk: the Wacatac family has a history of heuristic/ML false positives against packed/unsigned or installer‑type binaries — especially when the file is in a nonstandard folder or looks like a runtime DLL. Community reports show developers and users seeing Defender-only Wacatac hits.
Is this malware likely to modify/delete/corrupt files?
  • The Wacatac detection name itself describes a trojan-type detection. These trojans primarily provide remote access or downloaders; the immediate file flagged may be a dropper or component. The dangerous behavior is that such trojans commonly download further malware (ransomware, stealers, backdoors) that can modify, encrypt or exfiltrate files. So: the flagged component might not itself delete files, but it can enable payloads that do. Treat it as potentially dangerous.
What to do now — quick, safe checklist (do these in order)
  1. Don’t restore the file from quarantine yet. If Defender quarantined it, leave it there.
  2. Get details and a hash
    • In Windows Explorer: right‑click the file (or the quarantined item in Defender) → Properties → Details / Digital Signatures tab.
    • Open PowerShell as admin and run:
      Get-FileHash "C:\Users\<you>\AppData\Roaming\secure\QtWebKit4.dll" -Algorithm SHA256
    • Copy the SHA‑256 and submit it to VirusTotal (or paste the hash into virustotal.com) — that shows detections across many engines. Submit the actual file to VirusTotal only if you’re comfortable (it will be shared).
  3. Run Defender Offline
    • Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline → Scan now. This boots and scans outside Windows and catches kernel/persistent components.
  4. Second‑opinion scans (in this order)
    • ESET Online Scanner (one‑off online scan) or Kaspersky Rescue / Bitdefender Rescue — these can find things others miss.
    • Microsoft Safety Scanner (msert) as a second on‑demand tool.
  5. Check persistence & running processes
    • Download Autoruns from Sysinternals, run as admin, search for suspicious items in AppData\Roaming\secure, unusual Run keys, scheduled tasks, services. Remove only if you understand the entry or after backing up.
  6. If VirusTotal / other scanners confirm malicious:
    • Change passwords for important accounts (from a clean device).
    • Back up critical files to external media (before attempting repairs).
    • Consider a full image backup and a clean reinstall if multiple indicators show compromise.
  7. If it looks like a false positive
    • Submit the file to Microsoft for analysis (Windows Defender Security Intelligence submission) and to VirusTotal as “benign” evidence; follow their guidance to whitelist or get the signature corrected. Don’t restore until vendors confirm it’s safe.
Why AppData\Roaming\secure\QtWebKit4.dll looks suspicious
  • Legit Qt/QtWebKit DLLs usually live in the program’s install folder, not a random AppData\Roaming\secure folder. Files in AppData\Roaming are commonly used by malware for persistence — that raises suspicion even if the DLL name looks legitimate. That’s a reason Defender might flag it. (Community threads show Defender-only finds often live in AppData paths.)
If you want exact commands / help, tell me:
  • The SHA‑256 hash you get from Get-FileHash (paste it here) — I’ll check common sources and tell you if it’s known bad.
  • Or: paste the Defender history entry (screenshot or exact text) and I’ll walk through the Defender Offline scan + a VirusTotal check step‑by‑step.
If you prefer, I can give a short script to collect hashes, list suspicious Run keys and scheduled tasks so you can paste the output here — then I’ll interpret it and recommend next steps.
 

I ran a full scan with Microsoft Defender on my PC and it found the unique file AppData\Roaming\secure\QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml).

But before using Defender, I had run a full scan with Malwarebytes Free and Kaspersky Free and found nothing. Why did it detect this now?

Is this type of malware the kind that modifies, deletes, or corrupts personal files on the PC Windows 10?

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

folder of file
 

Attachments

  • virus Microsoft Defender.webp
    virus Microsoft Defender.webp
    65.4 KB · Views: 0
Good, thanks — that screenshot and the VirusTotal link help. Short answers up front, then exact steps you can follow right now.
Short answers
  • Why Defender caught it but Malwarebytes/Kaspersky didn’t: Defender’s cloud + ML heuristics (the “!ml” suffix) can flag files other engines miss; timing and different detection methods also explain single‑vendor hits.
  • Is Wacatac likely to delete/corrupt files? The Wacatac family is a trojan/downloader/backdoor class — the detected file may be a dropper or component. By itself it often only provides persistence or a downloader; the real danger is that it can fetch and run secondary payloads (ransomware/stealers) that will modify/encrypt/delete files. Treat a Wacatac detection as potentially serious.
Why this particular file looks suspicious
  • Legit Qt/QtWebKit DLLs normally live in the program’s install folder (Program Files or the app folder). A Qt DLL placed in C:\Users\<you>\AppData\Roaming\secure is unusual and a common persistence spot for malware, which raises Defender’s risk score and triggers ML heuristics. That folder location is one reason Defender might single‑out the DLL.
What to do now — step‑by‑step (safe, ordered)
1) Don’t restore the quarantined item yet
  • If Defender already quarantined the file, leave it quarantined until you’ve checked. Restoring prematurely can re‑activate malicious code.
2) Get the file hash and basic metadata (one command)
  • Open PowerShell as Administrator and run:
    Get-FileHash "C:\Users\<your‑username>\AppData\Roaming\secure\QtWebKit4.dll" -Algorithm SHA256
  • Paste the SHA256 here (or paste the VirusTotal detection summary). I can interpret the VT result for you. (Your VirusTotal link already includes the hash 935cd907..., which is the SHA identifier you can paste back here.)
3) Run Microsoft Defender Offline (boots outside Windows)
  • Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline → Scan now. This is a high‑value next step because offline scans catch drivers / persistent components. (If Defender finds/removes more items, do NOT restore; note what was removed.)
4) Do a quick second‑opinion (on‑demand tools)
  • Run Microsoft Safety Scanner (msert): download and run as admin.
  • Run ESET Online Scanner or the free Windows Defender Offline / Kaspersky Rescue ISO if you can boot from USB. These catch things some in‑OS scanners miss. The Windows Malicious Software Removal Tool (MSRT) can also help; it’s useful as an extra pass.
5) Check persistence items (Autoruns + running processes)
  • Download Autoruns from Sysinternals, run as admin, search for entries pointing to AppData\Roaming\secure or the QtWebKit4.dll filename and note any Run keys / Scheduled Tasks / Services referencing it. Don’t delete until you’ve captured hashes / screenshots — post them here if you want help interpreting.
  • Also check running processes in Task Manager and use “Details” to see file paths.
6) Interpret the VirusTotal result you posted
  • If many engines (≥5–10) detect the file as malicious, treat it as confirmed malicious and follow the “confirmed” remediation below. If only Defender shows it, it can be a false positive — but because the file is in AppData, continue cautious steps above and submit the sample to vendors for analysis (Microsoft has a submission portal). I can help interpret the VT report if you paste the detection count or a screenshot.
7) If confirmed malicious (or multiple engines flag it)
  • Back up critical personal files immediately to external offline media (before trying repairs).
  • Change important passwords from a clean device (banking, email, MFA apps).
  • Consider a full image backup and OS reinstall if you find multiple compromise indicators or unusual persistence. For single‑file infections that are fully removed by offline scans, a clean reinstall is still the safest option if you can’t be sure all persistence was removed.
8) If it looks like a false positive
  • Don’t restore automatically. Submit the sample to Microsoft for re‑analysis (they have a “submit a sample” process). Wait for vendor feedback before restoring or whitelisting. Many benign installers/sideloaded DLLs shipped into AppData can be heuristic hits.
What I need from you to help right now
  • Paste the SHA256 you got from Get-FileHash (or confirm the hash in your VirusTotal link is the same: 935cd9070679168cfcea6aea40d68294ae5f44c551cee971e69dc32f0d7ce14b).
  • Paste the VirusTotal detection summary (e.g., “5/76 engines detect”) or a screenshot of the VT detection list.
  • Tell me whether Defender already quarantined the file (yes/no) and whether you ran Defender Offline yet.
If you want, I can also supply short commands to:
  • List scheduled tasks that reference AppData\Roaming\secure,
  • Export Autoruns output to a text file you can paste here,
  • Run MSERT from a command line and capture its log.
One more note about risk: because trojans in the Wacatac family are often used as downloaders/backdoors, the flagged DLL could be the initial stage. Even if it hasn’t yet encrypted files, it may have network or persistence capability that lets an attacker drop destructive payloads later — that’s why I recommend the offline scan + backups and checking Autoruns/startup.
Tell me the SHA‑256 / VT detection count and whether Defender quarantined the file — I’ll interpret the VT engines and give the next precise cleanup steps (Autoruns commands, MSERT usage, or when to wipe and reinstall).
 

My question now is whether this file is actually malware or a false positive.

What is the real name and type of malware?

And does it modify, delete, or corrupt my personal files on my PC?



I performed a full scan with Kaspersky Free, Malwarebytes Free, and AdwCleaner a week or two ago with the software’s updated definitions database, but only Microsoft Defender found AppData\Roaming\secure\QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml)



i posted virus total result sca above
 

Short answer — I can’t prove it remotely, but I can tell you how to tell which it is and what to do next.
  • Possibility A — malicious: Trojan:Win32/Wacatac.* is a trojan/downloader/backdoor family. If multiple engines on VirusTotal flag your QtWebKit4.dll, treat it as real malware because Wacatac variants are commonly used to download or install secondary payloads (ransomware, stealers, RATs) that can modify/encrypt/exfiltrate your personal files.
  • Possibility B — false positive: Defender uses cloud/ML heuristics (the “!ml” suffix) and sometimes flags packed/unsigned or out‑of‑place DLLs that other AVs don’t. If only Defender shows a detection on VirusTotal and the file came from a legitimate app, it may be a heuristic false positive.
Why Defender may have been the only one to find it
  • Defender’s cloud + ML heuristics can flag items other engines miss; different products use different signatures and heuristics, so single‑vendor detections are common and can be either true positives or false positives.
Why this specific file looks suspicious
  • A real Qt DLL normally lives in the program folder (Program Files or the app folder). A QtWebKit DLL sitting in C:\Users\<you>\AppData\Roaming\secure is unusual (AppData\Roaming is a common persistence location for malware), which increases the chance Defender will flag it.
Does Wacatac (this detection) modify/delete/corrupt files?
  • The Wacatac detection itself is generally a trojan/downloader/backdoor. The flagged component may only provide persistence or downloading capability; the destructive actions (delete/corrupt/encrypt files) usually come from secondary payloads that a trojan like Wacatac can fetch and run (for example ransomware). So treat it as potentially dangerous even if the single DLL hasn’t yet altered your files.
What I need from you to make a clear call
  1. The VirusTotal detection summary (how many AV engines detect it; e.g. “5/78 engines”) — you posted the VT link but not the detection count. If you paste the VT summary or the SHA‑256 (the link already contains the SHA starting 935cd907...), I’ll interpret the engines for you.
  2. Tell me whether Defender already quarantined the file (yes/no).
  3. Have you run Microsoft Defender Offline yet? (yes/no)
Immediate safe steps (do these now)
  1. Leave the file quarantined — do NOT restore it until confirmed safe.
  2. Run Microsoft Defender Offline (Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline → Scan now). This boots outside Windows and finds persistent components.
  3. Get the SHA‑256 hash (if you can) and paste it here:
    • Open PowerShell (Admin) and run:
      Get-FileHash "C:\Users\<your-username>\AppData\Roaming\secure\QtWebKit4.dll" -Algorithm SHA256
    • Paste the result or the VT detection count here.
  4. Run one or two second‑opinion on‑demand tools (after offline scan): Microsoft Safety Scanner (msert) and ESET Online Scanner or bootable rescue ISO (Kaspersky/Bitdefender rescue). These help confirm/clean.
  5. Check persistence (Autoruns) — download Autoruns from Sysinternals, run as admin, search for entries pointing to AppData\Roaming\secure or QtWebKit4.dll. If you find Run keys / Scheduled Tasks / services pointing there, capture a screenshot or paste the entries and I’ll help interpret.
  6. Backup critical personal files immediately to external media (offline) before further cleanup if multiple engines flag the file. Then change important passwords (from a clean device) if the file proves malicious.
How I’ll help once you post the VT/hash and status
  • I’ll read the VT detection list and tell you whether it’s widely detected (malicious) or a single‑vendor/heuristic hit (possible false positive) and list the next cleanup steps precisely (commands for Autoruns export, MSERT run + log path, how to remove entries safely, or when to wipe/reinstall).
If you prefer an immediate conservative route
  • If you don’t want to investigate, back up your data now and do a clean reinstall of Windows. That guarantees removal of any hidden persistence. If you choose that, I’ll give the step‑by‑step for a safe reinstall and restoring your data.
Bottom line
  • I can’t declare “malware” vs “false positive” from your screenshot alone. The file’s location and Defender’s Wacatac flag make it suspicious, and Wacatac detections are potentially serious because they commonly act as downloaders that can lead to file‑modifying payloads. Provide the VirusTotal detection count or the SHA‑256 and whether Defender quarantined it, and I’ll interpret the VT engines and give the exact cleanup or confirmation steps.
 

virustotal detections 30/72 yes Defender quarantined
 

Short answer — very likely malicious.
Why: a VirusTotal score of 30/72 plus Microsoft Defender quarantining the file strongly indicates the sample is malicious (many engines agree). Defender’s label Trojan:Win32/Wacatac.C!ml is a family/heuristic name for downloader/backdoor trojans — these usually provide persistence and a channel to download and run further payloads (ransomware, info‑stealers, RATs). That means the flagged DLL itself may not have immediately deleted your files, but it can enable secondary malware that does.
Concrete answers to your questions
  • Is the file actually malware or a false positive?
    Given 30/72 detections and Defender already quarantining it, treat it as real malware unless you have strong evidence the file came from a verified, trusted installer and the vendor confirms it. Single‑engine hits can be false positives, but 30/72 is well above “single‑engine noise.”
  • What’s the real name / type?
    Microsoft calls it Trojan:Win32/Wacatac.C!ml — a Wacatac‑family trojan (downloader/backdoor). That is a generic family label (not a human‑friendly product name) meaning a trojan component that can drop or fetch other malware.
  • Does it modify/delete/corrupt personal files?
    The Wacatac component itself typically acts as a downloader/backdoor. The destructive actions (file modification, encryption, deletion, exfiltration) normally come from secondary payloads it may download (for example ransomware or file‑stealers). So the DLL is dangerous because it can lead to file‑damaging malware even if it hasn’t yet done so itself.
Immediate steps (do these now — in this order)
  1. Leave the file quarantined. Do NOT restore it. (You already said Defender quarantined it — good.)
  2. Back up important personal files immediately to an external drive (disconnect that drive when done). Back up only user data (Documents, Pictures, etc.) — do not copy programs or system files.
  3. Run an offline/boot scan:
    • Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline → Scan now. This scans outside Windows and will catch persistent components.
  4. Run a second‑opinion rescue scan (offline if possible):
    • Bootable rescue ISO: Kaspersky Rescue / Bitdefender Rescue (create USB, boot and scan).
    • Or run ESET Online Scanner and Microsoft Safety Scanner (msert) from Windows after the offline scan.
  5. Check persistence and indicators (do this if you’re comfortable; I can walk you through):
    • Download Autoruns (Sysinternals), run as Administrator, search for entries pointing to C:\Users\<you>\AppData\Roaming\secure or QtWebKit4.dll.
    • List Run keys:
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /s
      reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /s
    • List scheduled tasks referencing that folder:
      schtasks /query /fo LIST /v | findstr /I "secure"
  6. If rescue scans / multiple engines confirm active infection: isolate the PC from the network, change important passwords from a clean device, and plan a full OS reinstall (cleanest recovery). If you cannot or do not want to reinstall immediately, at minimum make an image backup and keep the system offline until cleaned.
If you think it might be a false positive
  • Do not restore the file until vendors confirm. Submit the sample to Microsoft for re‑analysis (Windows Defender Security Intelligence submission) and to VirusTotal as benign evidence; wait for vendor feedback before restoring. But with 30/72 detections, false positive is unlikely.
If you want, I will:
  • Interpret the VirusTotal engine list for you (paste the VT detections page or allow me to view the detection names) and tell you which engines flagged which behaviors.
  • Provide exact Autoruns/PowerShell commands and show how to export and paste the results safely so I can read them.
  • Walk you step‑by‑step through creating a Kaspersky/Bitdefender rescue USB and running an offline scan.
One final practical recommendation
Because trojans like Wacatac are often used to drop destructive payloads, the safest course after confirmed detection is: back up your data now, run offline rescue scans, and if multiple indicators remain, do a clean reinstall of Windows and restore your files from the offline backup. If you want, start by telling me:
  • Did Defender’s Protection history show additional files/registry keys removed or only that single DLL?
  • Do you want step‑by‑step commands to collect Autoruns output and scheduled tasks now?
 

If each antivirus detects this malware with a different name, then what would be the real name of this malware?

It's quarantined by Defender. It's a single file found. I haven't deleted it from quarantine yet because an expert might recommend another type of scan.

My Kaspersky Free, Malwarebytes Free, and AdwCleaner didn't detect it in the full scan, but Defender did. Given the behavior of this malware on my PC (activated, running, modifying files), would Kaspersky Free also let this malware pass by as if nothing were happening? I always update the virus definitions before scanning.
 

Short answer
  • There is no single “real” friendly name here — Microsoft’s label (Trojan:Win32/Wacatac.C!ml) is a heuristic/family name, not a unique product name.
  • With VirusTotal 30/72 and Defender quarantining it, treat the file as malicious. That many engines agreeing makes a false positive unlikely.
  • Wacatac‑style detections are usually downloaders/backdoors (they enable further payloads). The DLL itself usually doesn’t act like a one‑shot file‑wiper, but it can allow the attacker to download ransomware/stealers that WILL modify, encrypt or exfiltrate your personal files. If you already see “activated, running, modifying files” on the PC, assume there is active compromise and act accordingly.
Why you don’t get one single “real name”
  • Different AV vendors use different naming systems and heuristics. A single binary will therefore show up under many names (e.g. DanaBot, Kryptik variants, Agent, Win32/… etc.) depending on which signatures/behaviors the vendor matches. Only a detailed dynamic/behavioral analysis (sandbox/forensic) can tie the sample to a precise malware family and campaign. The Defender name is sufficient to treat it as a trojan/backdoor.
Short explanation of your Kaspersky / Malwarebytes results
  • It’s possible for up‑to‑date products to miss a specific sample if they don’t have a signature for that variant or the detection depends on different ML heuristics. Defender’s cloud/ML detection sometimes catches things others don’t — and in your case 30/72 engines on VT already flagged it, so Kaspersky/Malwarebytes likely didn’t miss everything generally — they either didn’t recognise this exact build or it was packed/obfuscated in a way that made some engines miss it. But with 30/72 you should treat it as real.
What to do right now — step‑by‑step (highest priority)
1) Leave Defender’s quarantine in place. Do not restore.
2) Disconnect the PC from the network (unplug ethernet / disable Wi‑Fi) if you suspect active modification. This prevents further downloads/exfiltration.
3) Back up your personal files immediately to an external disk (only documents, photos, etc.). Disconnect that backup drive when done. Do NOT back up programs or system files.
4) Run an offline/boot rescue scan:
  • Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline → Scan now.
  • Create and boot a rescue ISO (Kaspersky Rescue / Bitdefender Rescue) and run a full scan. (Offline scans find persistent/rootkit components.)
    5) Run additional on‑demand scanners (after offline scan): Microsoft Safety Scanner (msert) and ESET Online Scanner.
    6) If rescue scans confirm infection (or you continue to see modifications): plan a full Windows reinstall (cleanest), restoring data only from the offline backup. If you can’t reinstall immediately, image the disk before attempting repairs.
Collect evidence (if you want to investigate / I can help interpret)
Run these from an elevated PowerShell / cmd and paste results here if you want me to analyze them:
  • SHA‑256 (confirm VT hash):
    powershell -Command "Get-FileHash 'C:\Users\%USERNAME%\AppData\Roaming\secure\QtWebKit4.dll' -Algorithm SHA256"
  • List running processes with file path:
    powershell -Command "Get-Process | Where-Object {$_.Path} | Select-Object Id,ProcessName,Path | Format-Table -AutoSize"
  • Check autorun / persistence quickly (export):
    Autoruns (download from Sysinternals) → File → Save (or run Sysinternals Autoruns as admin and use File→Save) — paste the text output.
  • List Run keys and scheduled tasks:
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /s
    reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /s
    schtasks /query /fo LIST /v | findstr /I "secure"
  • Network connections (to see C2):
    netstat -ano | findstr ESTABLISHED
What if you already observed file modification / active behavior?
  • If you truly see processes modifying files, assume compromise and prioritize: backup data, isolate the machine, change important passwords from a clean device, and reinstall Windows. Trying to “clean” an actively compromised system without reinstall is riskier and can leave hidden persistence.
If you want me to continue helping I can:
  • Interpret the VirusTotal engine list in detail if you paste the VT detection list / engine names (I can map to likely families).
  • Walk you step‑by‑step to create a Kaspersky/Bitdefender rescue USB and run an offline scan.
  • Help parse Autoruns / process lists you paste and point out persistence items to remove, or produce a safe removal plan.
  • Walk through a safe backup and clean reinstall procedure.
Final practical advice (short)
  • With 30/72 detections + Defender quarantine, treat it as malware. Back up your personal files now from that PC to external media, disconnect the PC, run the offline rescue scans, and plan a clean Windows reinstall if scans show further indicators or you’ve observed file modifications. If you want immediate step‑by‑step help, tell me which step you want to do right now (collect hashes, run Defender Offline, build a rescue USB, export Autoruns output) and I’ll give the exact commands and walk you through it.
 

I downloaded several files on the PC before 250GB and copied them to the external HD after that it was detected by Microsoft Defender, will it be necessary to download all the files again on the PC and copy them to the external HD because this malware dll modified everything?
 

Short answer — don’t risk it: treat the external drive as potentially contaminated and don’t open files from it until you scan and verify them on a known‑clean machine. You will probably NOT need to re‑download personal photos/docs if they are benign, but you should re‑download any installers, programs, or executables from their official sources rather than trusting copies taken from an infected PC.
Why
  • The DLL on your PC is a trojan/backdoor (Wacatac family). Trojans often drop or launch secondary payloads. If you copied files after the system was already infected, any executable/setup (.exe, .msi), archive (.zip, .7z, .rar), script (.vbs, .ps1, .bat), or office file with macros could have been infected or a carrier for malware.
  • Non‑executable content (most photos, plain text, PDFs without embedded scripts) is much less likely to be infected, but it can still be used to exfiltrate data — and there are edge cases (malicious document macros, malformed images that exploit apps) so we still scan them.
Safe step‑by‑step plan (recommended order)
1) Stop using the external drive on the infected PC. Eject it and keep it offline.
2) Work from a clean computer for all scanning and remediation (not the infected PC). If you don’t have one, use a rescue USB (see step 4).
3) Do NOT open files from the external drive until scanned. That includes installers, documents and media. Opening a file can execute embedded code.
4) Best (most reliable): create a rescue USB and boot it, then scan the external drive
  • Download Kaspersky Rescue Disk or Bitdefender Rescue ISO on a known‑clean PC, write to USB, boot the clean PC from the USB, attach the external drive and run a full scan. Rescue ISOs scan for rootkits and active threats without running Windows (recommended).
    5) If you can’t run a rescue ISO, scan the external drive from a clean Windows PC with updated AV(s)
  • Plug the drive into a known‑clean machine (or a VM you trust). Update Defender / Kaspersky / Malwarebytes there and run a full scan of the external drive.
  • Windows Defender via command line (example):
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "E:\"
    (Replace E: with the external drive letter.)
  • Or use Start‑MpScan in an elevated PowerShell if available:
    Start-MpScan -ScanType FullScan (then use GUI to target the drive or use MpCmdRun to specify folder)
    6) Use >=2 scanners if possible (e.g., Defender + ESET Online Scanner or Malwarebytes on the clean machine) — different engines catch different things.
    7) For any suspicious EXEs/Installers/Archives found on the drive: DO NOT run them. Delete them and re‑download installers directly from the official vendor sites. That is the safest option.
    8) For your personal documents/photos:
  • If scans return clean (no detections) you can keep them. For extra caution, copy them to a new folder on the clean machine after scanning and open one or two files to confirm they behave normally.
  • If any documents contain macros, open them only in a sandbox or after enabling macro‑blocking, or convert to safe formats (PDF) using a clean machine before opening.
    9) If the rescue/clean scans find malware on the external drive:
  • Quarantine/delete infected files found by the scanners.
  • If many files or system images/portable apps are infected, reformat the external drive (after you back up uninfected data to another clean storage) and then restore only verified clean files.
    10) If you’ve already used any files from that external drive on other machines, treat those other machines as possibly exposed and scan them too.
Deciding which files to re‑download vs keep
  • Re‑download ALWAYS: installers, portable apps, toolchains, games, driver installers, .exe / .msi / .bat files and any archive (.zip/.7z/.rar) that contains executables.
  • Scan and keep (if clean): photos, music, most PDFs, plain documents (.txt, but check Office docs with macros). For Office (.docx/.xlsx) confirm they are not .docm or macro‑enabled; if in doubt, open on a clean machine with macros disabled or convert to PDF first.
  • Never trust backups of system images or program folders taken from an infected machine — better to rebuild/reinstall from original sources.
If you want me to walk you through this now
  • Tell me:
    1) Do you have a separate clean PC (or can you boot a rescue USB)?
    2) The external drive letter when plugged into your PC (e.g., E:).
    3) Whether Defender or other tools previously found any infected files on that external drive (yes/no).
  • I can then give exact commands for scanning (MpCmdRun, MSERT), instructions to create a rescue USB, and help you interpret scan logs or quarantine reports.
Quick emergency checklist (if you’re short on time)
  • Unplug the external drive.
  • Back up only irreplaceable personal files (photos, documents) by copying them to another external drive only from a clean machine or after scanning.
  • Re‑download all programs/installers from official sites.
  • Run rescue ISO scan and then decide reformat/restore.
You did the right thing not deleting the quarantine entry. Start by scanning the external drive from a known‑clean environment (rescue ISO is best). If you want, say “help make rescue USB” and I’ll give the exact download links and step‑by‑step commands for creating and running it.
 

After copying the files to the external hard drive, I ran a WinRAR test and found no errors.

Even though Kaspersky Free didn't detect the file AppData\Roaming\secure\QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml), can it monitor strange behavior caused by this malware on the PC and files and prevent it from working?
 

Short answer — yes, Kaspersky Free does have behavior‑monitoring (System Watcher) and real‑time file protection that can detect and block suspicious activity, and it can roll back some malicious changes — but it’s not guaranteed to catch every variant. Because Defender already quarantined a Wacatac‑family DLL on your PC, treat the system as potentially compromised and follow the cleanup steps below.
What Kaspersky Free can and can’t do (brief)
  • What it does: Kaspersky Free includes File Anti‑Virus (real‑time scanning), Web/Safe Browsing, Network Attack Blocker and System Watcher — System Watcher is the behavior‑monitor that can detect exploit/ransomware‑style activity and roll back some changes made by malware (including some encryptors). That means Kaspersky can often stop malicious behavior even if a signature wasn’t present.
  • What it may not do: No AV is perfect. Packed/obfuscated or very new variants can evade signature/heuristic detection. If the malware executed and made changes before Kaspersky saw it, the product may stop further activity but won’t necessarily recover all prior changes unless System Watcher can specifically roll them back. A 30/72 VT score (your file) makes this a likely real infection — not a one‑engine false positive.
Answer to your direct question
  • Would Kaspersky Free “let this malware pass” while it modifies files? Not necessarily — Kaspersky’s real‑time File Anti‑Virus + System Watcher try to detect and block malicious behaviour and can roll back many malicious actions. But because Defender found the file and VT shows many detections, that specific build apparently evaded Kaspersky’s signatures/heuristics at the time you scanned. That can happen — detection timing and variant differences explain it. If the malware is already running and modifying files, Kaspersky may stop further actions but may not undo everything unless System Watcher can revert those exact operations.
Recommended immediate steps (what to do now)
  1. Keep Defender’s quarantine entry — do NOT restore it. (Good you didn’t delete it.)
  2. Disconnect the PC from the network (unplug ethernet, disable Wi‑Fi) to stop possible downloads or exfiltration.
  3. Back up irreplaceable user data (photos, documents) from this PC to an external drive — but do this only if you copy from the infected PC directly to offline storage and then scan that backup from a known‑clean machine (see step 5). Don’t copy programs or installers.
  4. Run offline / rescue scans:
    • Run Microsoft Defender Offline (Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline → Scan now).
    • Create a rescue USB (Kaspersky Rescue Disk or Bitdefender Rescue) on a clean PC and boot the infected PC from it; run a full scan and removal. Rescue ISOs are best for persistent/rootkit components.
  5. Scan external drive from a known‑clean system (or from the rescue USB) before opening any copied files. If you can’t, boot the clean machine and scan the drive with updated Kaspersky + another engine (ESET online scanner or Microsoft Safety Scanner). Do not execute installers from that drive — re‑download installers from vendor sites.
  6. Check for persistence and active processes: export Autoruns, list Run keys and scheduled tasks, and check running processes/paths — I can help interpret those outputs if you paste them.
  7. If scans confirm infection or you continue to see file modification: assume compromise — isolate, change important passwords from a different device, and plan a clean Windows reinstall (safest). Alternatively, image the disk first if you want to preserve evidence.
  8. After cleanup, ensure Kaspersky (or your chosen AV) has System Watcher/real‑time protection enabled and definitions updated; run a full system scan again.
Practical note on reliance and timing
  • Kaspersky Free provides strong real‑time/behavior protection for a free product (including rollback capabilities), but detection depends on the variant and timing — your Defender/VT result shows this sample triggered many engines, so don’t assume any single scanner would have automatically blocked all behavior before files were modified. In practice, combine steps above (offline rescue, scanning backups on a clean machine, and reinstall if needed) for a reliable recovery.
If you want, I’ll walk you through any of these now:
  • Step‑by‑step to run Microsoft Defender Offline and interpret the logs; or
  • How to build a Kaspersky Rescue USB and run a scan; or
  • Exact Autoruns/PowerShell commands to collect persistence and process info and interpret it here.
Which do you want to do first? (If you’re worried about the external drive, tell me its drive letter and whether you have a known‑clean PC to use for scanning it.)
 

It’s already been removed. My concern is whether this malware AppData\Roaming\secure\QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml) detected by Microsoft Defender corrupted, deleted, or modified my personal files, especially the compressed ones. Before testing with Defender, I used Kaspersky Free as my main antivirus, but I also scanned with Malwarebytes Free and Adwcleaner, and according to all of them, the system was clean and without anything. I downloaded a lot of games, ISOs, emulators, and programs, totaling 250GB, and copied them to an external hard drive. Only after that did I switch from Kaspersky Free to Defender because Kaspersky Free was no longer free. In the first full scan of Microsoft Defender, this malware was found. So, after cleaning, will I have to download everything again to ensure they are intact and copy everything again to the four external hard drives? On VirusTotal, this same malware found by Defender has several different names for different antiviruses. It’s hard to tell what it actually is, but I posted the test results at the beginning of the thread, along with a screenshot of the folder where it’s located.

Because they said Kaspersky was one of the best antiviruses, I thought this also applied to the free version, but I think it’s only the paid version. I used the free version for years, and from what I see in the file folder, it’s been on my PC since 2024.
 

Short answer — you probably don’t need to blindly re‑download every non‑executable file, but you must assume the external drive may be contaminated and verify everything before you use it. Executables / installers / ISOs / archives that came from the infected PC are the highest‑risk items and should be re‑downloaded from official sources unless you can prove each file is clean. Defender quarantining the DLL + 30/72 VT detections is strong evidence of malware; that DLL could have been used to drop or run other payloads before removal.
Why your WinRAR test doesn’t prove files are “safe”
  • WinRAR’s Test checks the archive integrity (CRC/checksums inside the archive) — it tells you whether the archive is corrupted, not whether files inside are malicious. A clean WinRAR test does NOT mean an archive’s contents are malware‑free. (You still need antivirus scanning / signature checks / hashes for that.)
Risk summary (what’s most likely)
  • High risk: executables, installers, portable apps, game cracks, emulators, bundled launchers, and archives that contain .exe/.msi/.bat/.ps1 — these can be infected and should be treated as suspect.
  • Lower risk: photos, music, plain text, most PDFs (provided they have no active macros or embedded scripts). Still scan them — but they’re less likely to be carriers.
  • ISOs: treat as installers — verify official SHA/GPG signatures. Don’t run or mount unverified ISOs on your main PC.
What to do now — ordered checklist (do these before re‑using or copying files)
1) Stop using the infected PC online and keep Defender’s quarantine entry. Don’t restore the DLL.
2) DO NOT run any EXEs from the external drive. Remove the drive from that PC and keep it offline.
3) Work from a known‑clean PC (or create a rescue USB) to check the external drive. If you don’t have a clean PC, make a rescue USB (Kaspersky Rescue Disk or Bitdefender Rescue) on another machine and boot the infected machine from that USB to scan the external drive (rescue ISOs scan without running Windows). Rescue scans are the safest.
4) Scan the external drive with at least two up‑to‑date engines (example order):
  • Boot rescue ISO → full scan of the external drive.
  • On a clean Windows PC: update Defender and run a targeted scan of the external drive (or use MpCmdRun). Example Defender command (run elevated on a clean machine):
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "E:\"
  • Optionally run ESET Online Scanner / Malwarebytes on the clean PC as a second opinion. Use two engines because they catch different things.
    5) For each ISO/installer/portable app/archive on the external drive:
  • If it’s from an official vendor and you can verify a published SHA256/GPG signature, compute the hash and compare. PowerShell command to compute SHA256:
    powershell -Command "Get-FileHash 'E:\path\file.iso' -Algorithm SHA256"
  • If you cannot verify the hash/signature and the file is an installer/executable, DO NOT trust it — re‑download from the official site. This is the cleanest option.
    6) For archives containing programs: extract them only on a clean, isolated VM and scan the extracted files before running anything. Prefer re‑downloading installers when possible.
    7) For personal media / docs: if rescue/clean scans report no detections, copy those files to a new folder on the clean machine and open a small sample to confirm normal behavior. For Office docs, ensure macros are disabled and convert suspicious docs to PDF before opening.
    8) If antivirus finds infections on the external drive: quarantine/delete infected items, then consider reformatting the drive and restoring only the verified clean files. If many items are infected, reformat is the fastest safe option.
Quick commands and tools you can use
  • Compute SHA256 (PowerShell):
    Get-FileHash "E:\path\file.iso" -Algorithm SHA256
  • Defender command‑line scan:
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "E:\"
  • Microsoft Safety Scanner (MSERT) is a one‑off on‑demand scanner (download and run on a clean PC).
  • Autoruns / netstat / scheduled task checks (if you want to verify the infected PC): I can give exact commands and show how to export outputs.
About Kaspersky Free vs Defender and missed detection
  • Free products have good baseline protection (real‑time, behavior detection), but detection is never perfect. Malware can evade one product and be caught by another depending on signatures, heuristics, and cloud ML. The paid tiers add extra features and telemetry but won’t magically prevent every possible variant. In your case Defender’s cloud/ML flagged the DLL and VT showed many engines agreeing, so treat that as a real detection rather than a Kaspersky failure.
Decision rules — what to re‑download vs keep
  • Re‑download (safe route): any .exe/.msi/portable program/launcher/installer/ISO/archives that contain executables or were downloaded from non‑official sources.
  • Keep after verification: photos, music, most PDFs and text documents — but only after scanning on a clean system and, for Office docs, ensuring macros are disabled.
If you want I will:
  • Walk you step‑by‑step to create a Kaspersky/Bitdefender rescue USB and run a scan. (Tell me whether you have access to another clean PC.)
  • Give the exact Defender / MSERT / MpCmdRun commands you should run on a clean PC to scan your external drive, and help interpret the logs.
  • Help you generate hashes and verify a list of ISOs/installers (paste file paths or a short list) and I’ll show which to re‑download.
Bottom line
  • Don’t trust the copies you made of installers/ISOs/portable apps — re‑download those from official sources unless you can verify signatures/checksums.
  • Media and documents are probably OK but scan them from a known‑clean PC (rescue ISO is best). Only after clean scans and verification should you copy them back to other machines.
Tell me:
1) Do you have a separate known‑clean PC available?
2) Which drive letter is the external drive when you plug it into a clean system (so I can give exact MpCmdRun commands)?
3) Do you want step‑by‑step instructions to build a rescue USB (I’ll give exact steps and the small set of commands you need)?
I’ll guide you through whichever next step you choose.
 

all the 250gb I mentioned are clean I tested, the dll file I mentioned has been on the pc since 2024 I don't know what installed it
 

Short answer — good news: if you scanned the 250 GB on the external drive with multiple up‑to‑date engines (and you ran deeper checks like rescue ISO scans or ESET online) and they came back clean, you probably do not need to re‑download everything. But because Defender quarantined a Wacatac‑family DLL that lived on the PC since 2024, it’s sensible to do a few targeted verification and forensic checks to be sure nothing else ran or modified files.
What you should know (short)
  • WinRAR “Test” only checks archive integrity (CRC inside the archive) — it does not detect malware inside files. A clean WinRAR test ≠ “no malware”.
  • Defender quarantining the DLL + 30/72 VT detections is strong evidence the DLL was malicious (Wacatac family = downloader/backdoor). That DLL could have been used to fetch other malware, but the DLL being present since 2024 does not automatically mean your copied files were infected. You need to verify them.
Concrete, practical checks to be confident your 250 GB are really safe
1) Scan the external drive from a known‑clean environment (best option)
  • Boot a rescue ISO (Kaspersky Rescue Disk or Bitdefender Rescue) on a clean PC and scan the external drive. Rescue ISOs don’t run Windows and are best for catching stealthy threats. If you already did this and it reported clean, that’s strong evidence.
2) Run 2 different AVs on the external drive from a clean Windows PC
  • Example: Defender + ESET Online Scanner (or Malwarebytes) on a clean machine. Use MpCmdRun to scan the drive if you prefer CLI:
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "E:\"
  • If both show no detections, that’s good.
3) Verify installer/ISO authenticity with hashes (for ISOs/games)
  • For each big installer/ISO: compute SHA‑256 and compare with the publisher’s published checksum (or GPG signature). PowerShell:
    Get-FileHash "E:\path\file.iso" -Algorithm SHA256
4) Treat executables/archives as suspect unless verified
  • If an .exe/.msi/portable app or archive contains executables and you cannot verify its origin/signature, re‑download from the vendor. This is the safest route.
5) Verify compressed archives properly (WinRAR test ≠ malware check)
  • You should both: (a) test archive integrity with WinRAR/7‑Zip, and (b) scan the archive and its extracted contents with an updated AV on a clean machine (or run them inside an isolated VM).
6) Quick forensic checks on the infected PC (to see if files were modified)
  • Check the DLL’s timestamps and properties (when it was created/modified, digital signature) and Defender history to see detection time. Example PowerShell:
    Get-Item "C:\Users\<you>\AppData\Roaming\secure\QtWebKit4.dll" | Select LastWriteTime, CreationTime, LastAccessTime
    Get-AuthenticodeSignature "C:\Users\<you>\AppData\Roaming\secure\QtWebKit4.dll"
  • Export Autoruns and check for persistence pointing to that folder (I can walk you through and interpret the output). Also check Scheduled Tasks and Run keys.
7) Check Windows Event / Defender logs for suspicious activity around the detection time
  • Event logs can show executed processes, service installs, new scheduled tasks or installer activity that indicate something ran and modified files.
Decision guidance — when to re‑download everything
  • Re‑download installers/ISOs/portable apps and any archive that contains executables unless you can:
    a) verify the publisher’s checksum/signature; and
    b) scan the file on a known‑clean machine and see no detections from ≥2 reputable engines (or scanned by a rescue ISO).
  • You don’t need to re‑download plain media (jpg/mp3/pdf) if two clean scans on a clean machine show no detections — but keep them quarantined/isolated until verified.
Next steps I can do with you (pick one)
  • Walk you step‑by‑step to create a rescue USB and scan the external drive.
  • Give exact PowerShell / MpCmdRun commands to scan the drive from a clean machine, and help interpret results.
  • Walk you through the forensic checks (file timestamps, digital signature, Autoruns, scheduled tasks, event log) so we can determine whether that DLL likely executed secondary payloads.
  • Help you generate a short list of ISOs/installers to verify (you paste filenames) and I’ll show which to re‑download vs keep.
Which would you like to do now? If you want me to start forensic checks, paste the output of:
  • The DLL timestamps (use the Get-Item command I gave), and
  • Whether you have access to a known‑clean PC (or want to make a rescue USB).
 

You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
AI-Generated Malware Threats: The Future of Cybersecurity with Windows and Microsoft Defender
Replies
0
Views
352
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
RESURGE Malware and CVE-2025-0282: Critical Threats and Defender Strategies
Replies
0
Views
160
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Why Windows Defender Flags Linux ISOs: False Positives & Verification
Replies
0
Views
164
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
On-Demand Virus Scanners: The Essential Rescue Toolkit for Malware Cleanup
Replies
0
Views
100
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Lenovo Windows Antivirus Roundup 2025: Free Defender to Premium Suites
Replies
0
Views
189
ChatGPT
ChatGPT
Back
Top