Solved Windows Defender keeps detecting and quarantining Trojan:Win32/Mamson.A!ml

cinematic6436 · Jul 26, 2023

Microsoft Windows
Version 22H2 (OS Build 22621.1992)

Hi everyone. Since 07/24/23, Windows Defender has been dealing with the following problem on what appears to be a minute-by-minute basis.

***

Detected: Trojan:Win32/Mamson.A!ml
Status: Quarantined
Quarantined files are in a restricted area where they can't harm your device. They will be removed automatically.

Date: 7/26/2023 11:51 AM
Details: This program is dangerous and executes commands from an attacker.

Affected items:
amsi: \Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

***

Windows Defender isn't providing a permanent solution. I tried initiating "Microsoft Defender Antivirus (offline scan)" but after I click "Scan now" expecting a restart, nothing happens.

I ran Microsoft Support Emergency Response Tool overnight and it found four questionable items, none of which appeared to be the trojan in question or related to powershell.exe. I couldn't take detailed notes because my screen suddenly went black and I had to reboot.

I ran a Malwarebytes scan, but it isn't finding anything -- I even signed up for the 14-day premium trial.

Under "Programs and Features," the only item installed on 07/24/2023 was Microsoft Edge WebView2 Runtime. Before that, Microsoft Edge was listed as being installed on 07/22/2023.

I also tried restoring powershell.exe from a backup I made a couple of months ago but the problem persists.

Any help anyone could provide would be greatly appreciated!

SoFine409 · Jul 26, 2023

I assume you've read this. Maybe it will help you.

Trojan:Win32/Mamson.A!ml threat description - Microsoft Security Intelligence

There is additional information here about removal:

Remove Trojan:Win32/Mamson.A!ml (Updated 2023) - SecuredStatus

securedstatus.com

And more information here:

https://malwaretips.com/blogs/trojanwin32-mamson-a-malware-removal-instructions/

cinematic6436 · Jul 26, 2023

SoFine409 said:
I assume you've read this. Maybe it will help you.

Trojan:Win32/Mamson.A!ml threat description - Microsoft Security Intelligence

There is additional information here about removal:

Remove Trojan:Win32/Mamson.A!ml (Updated 2023) - SecuredStatus

securedstatus.com

And more information here:

https://malwaretips.com/blogs/trojanwin32-mamson-a-malware-removal-instructions/

Thanks for the quick response. Yes -- the Microsoft link is where I got the Microsoft Safety Scanner (for some reason the EXE properties say it's the Microsoft Support Emergency Response Tool). I also went to the Secured Status link before posting here.

I'm going through the Malware Tips link right now. I'll post the results soon.

cinematic6436 · Jul 26, 2023

SoFine409 said:
I assume you've read this. Maybe it will help you.

Trojan:Win32/Mamson.A!ml threat description - Microsoft Security Intelligence

There is additional information here about removal:

Remove Trojan:Win32/Mamson.A!ml (Updated 2023) - SecuredStatus

securedstatus.com

And more information here:

https://malwaretips.com/blogs/trojanwin32-mamson-a-malware-removal-instructions/

Update -- I ran these programs both in safe mode and regular (I couldn't use Safe Mode with Networking as suggested because I only have a wifi connection, not ethernet).

Malwarebytes found nothing in either mode.
Hitman Pro found nothing in safe mode and would get hung up around 99% in regular.
Emsisoft Emergency Kit - Wouldn't start in safe mode. Found a few PUPs in regular but not Mamson.A!ml.
AdwCleaner - Found 7 PUPs but not Mamson.A!ml in safe mode. Did a second scan in regular and found nothing.

As a result, as soon as Windows starts, I get a notification that Defender dealt with Mamson.A!ml again, but the Windows Security Protection history now shows it doesn't have to deal with it every minute as it did before. So a big improvement, but I'm still concerned it still has to be dealt with every time Windows starts.

SoFine409 · Jul 28, 2023

cinematic6436 said:
Update -- I ran these programs both in safe mode and regular (I couldn't use Safe Mode with Networking as suggested because I only have a wifi connection, not ethernet).

Malwarebytes found nothing in either mode.
Hitman Pro found nothing in safe mode and would get hung up around 99% in regular.
Emsisoft Emergency Kit - Wouldn't start in safe mode. Found a few PUPs in regular but not Mamson.A!ml.
AdwCleaner - Found 7 PUPs but not Mamson.A!ml in safe mode. Did a second scan in regular and found nothing.

As a result, as soon as Windows starts, I get a notification that Defender dealt with Mamson.A!ml again, but the Windows Security Protection history now shows it doesn't have to deal with it every minute as it did before. So a big improvement, but I'm still concerned it still has to be dealt with every time Windows starts.

Here is a link to an article that will help you delete the quarantined item. This should take care of it once and tor all.

cinematic6436 · Jul 29, 2023

SoFine409 said:
Here is a link to an article that will help you delete the quarantined item. This should take care of it once and tor all.

It appears the link is missing...

csun · Jul 29, 2023

Reset Windows Security app in Windows 11 Tutorial

This tutorial will show you how to reset the Windows Security app for your account or all users in Windows 11. Windows Security is built-in to Windows 11 and includes an antivirus program called Microsoft Defender Antivirus. Your device will be actively protected from the moment you start...

www.elevenforum.com

Since it seems the malware has been eliminated, consider a reset of Windows Defender. If issue persists, would consider a System Restore or Clean Install. But would continue to closely monitor for a period with frequent scans with 3rd party AVs.

Ghot · Jul 29, 2023

cinematic6436 said:
It appears the link is missing...

Might want to try ESET's Online "One Time Scanner"...

Free Virus Scan | Online Virus Scan from ESET

Get a free one-time online virus scan, or a free 30-day trial with unlimited virus scans from ESET. Our online virus scanner will help you identify and remove malware. Stay protected with ESET software.

www.eset.com

flashh4 · Jul 29, 2023

@cinematic6436 ..... lets see if we can find out more about the so called Trojan, this may be a "false positive" from MS !
Could you run these 2 scan's & see if it finds anything ?

Malwarebytes Anti-Rootkit - Scan Only
--------------------
Download Malwarebytes Anti-Rootkit and save it to your Desktop >>> Downloading Malwarebytes Anti-Rootkit
Right click the mbar icon and select Run as administrator
Click OK to install it on your desktop
Click Next on the following screen
On the Update Database: screen click Update to download the latest definition updates then click Next
Click Scan and allow the process to complete
Click the Exit button not Cleanup
A system-log report will be created in the mbar folder placed on your Desktop. Copy and paste the contents in your reply !

=================

RogueKiller

Download the right version of RogueKiller for your Windows version (32 or 64-bit) >>> Free Virus Cleaner | RogueKiller AntiMalware • Adlice Software
* Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
* Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
* Wait for the scan to complete
* On completion, the results will be displayed
* Check every single entry (threat found), and click on the Remove Selected button
* On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
* This will open the report in Notepad. Copy/paste its content in your next reply

cinematic6436 · Jul 30, 2023

Ghot said:
Might want to try ESET's Online "One Time Scanner"...

Free Virus Scan | Online Virus Scan from ESET

Get a free one-time online virus scan, or a free 30-day trial with unlimited virus scans from ESET. Our online virus scanner will help you identify and remove malware. Stay protected with ESET software.

www.eset.com

It's been running for about 12 hours now, but seems to be going quite slowly -- only about 163,000+ items have been scanned.

cinematic6436 · Jul 30, 2023

csun said:
Reset Windows Security app in Windows 11 Tutorial

This tutorial will show you how to reset the Windows Security app for your account or all users in Windows 11. Windows Security is built-in to Windows 11 and includes an antivirus program called Microsoft Defender Antivirus. Your device will be actively protected from the moment you start...

www.elevenforum.com

Since it seems the malware has been eliminated, consider a reset of Windows Defender. If issue persists, would consider a System Restore or Clean Install. But would continue to closely monitor for a period with frequent scans with 3rd party AVs.

The malware went from being detected every minute to being detected only when Windows 11 starts to not being detected at all -- the last instance in the protection history is 07/26/2023 at 4:25 PM.

I tried resetting Windows Defender but selecting the offline scan still doesn't work -- I click "Scan now" and still nothing happens, no restart or subsequent scan. I think I'm just going to live with it. The malware seems to be history and I'd hate to reset & have to reinstall everything.

Still, I'll install an additional AV just to be safe.

cinematic6436 · Jul 30, 2023

flashh4 said:
@cinematic6436 ..... lets see if we can find out more about the so called Trojan, this may be a "false positive" from MS !
Could you run these 2 scan's & see if it finds anything ?

Malwarebytes Anti-Rootkit - Scan Only
--------------------
Download Malwarebytes Anti-Rootkit and save it to your Desktop >>> Downloading Malwarebytes Anti-Rootkit
Right click the mbar icon and select Run as administrator
Click OK to install it on your desktop
Click Next on the following screen
On the Update Database: screen click Update to download the latest definition updates then click Next
Click Scan and allow the process to complete
Click the Exit button not Cleanup
A system-log report will be created in the mbar folder placed on your Desktop. Copy and paste the contents in your reply !

=================

RogueKiller

Download the right version of RogueKiller for your Windows version (32 or 64-bit) >>> Free Virus Cleaner | RogueKiller AntiMalware • Adlice Software
* Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
* Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
* Wait for the scan to complete
* On completion, the results will be displayed
* Check every single entry (threat found), and click on the Remove Selected button
* On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
* This will open the report in Notepad. Copy/paste its content in your next reply

Just finished the scan -- "No malware found!"

flashh4 · Jul 30, 2023

@cinematic6436 ....... this program will delete/remove the programs you used in the cleaning & their logs !

Please download KpRm by Kernel-panik and save to your Desktop. >>> KpRm

* Click on KpRm.exe to run the tool.
* Vista/Windows 7/8/10 users right-click and select Run As Administrator.

* Put a check mark next to these items:
- Delete tools
- Delete now

* Click the "Run" button.
When the tool has finished, it will create and open a log report and delete itself.

cinematic6436 · Jul 30, 2023

flashh4 said:
@cinematic6436 ....... this program will delete/remove the programs you used in the cleaning & their logs ! If it was me i would remove/disable Defender & re-start it !

Please download KpRm by Kernel-panik and save to your Desktop. >>> KpRm

* Click on KpRm.exe to run the tool.
* Vista/Windows 7/8/10 users right-click and select Run As Administrator.

* Put a check mark next to these items:
- Delete tools
- Delete now

* Click the "Run" button.
When the tool has finished, it will create and open a log report and delete itself.

Thanks for the suggestion. Will KpRm remove Defender & restart it? I clicked the link and didn't see it in the list of programs...

flashh4 · Jul 30, 2023

@cinematic6436 ........... no it will not remove/disable Windows Defender, just the programs we used in the cleaning/scans !
Try this link >>> to clear what defender found .............. 4 Ways to Clear the Microsoft Defender Protection History on Windows 10 & 11

flashh4 · Jul 31, 2023

You can not remove Windows Defender but you can disable or hide it, it's best to download another program, virus protection and/or with a fire wall for protection !