Malicious object detected: HEUR:Trojan.Multi.Misslink.a

[MisslinkQn]

I got a notification around 2.55pm today (20 Nov 2024) from Kaspersky saying malicious object detected: HEUR:Trojan.Multi.Misslink.a

I clicked on it too clickly and was not able to check what the detection item actually was, to diagnose where it came from.

Here are the 3 logs for disinfection:

Quote

    Event: Malicious object detected
    User: DESKTOP-733BC02\TRN
    User type: Active user
    Component: Virus Scan
    Result: Detected
    Result description: Detected
    Type: Trojan
    Name: HEUR:Trojan.Multi.Misslink.a
    Precision: Exactly
    Threat level: High
    Object type: File
    Object name: Run:Steam
    Object path: reg:\HKU\S-1-5-21-2532791771-2465090974-211415688-1000\Software\Microsoft\Windows\CurrentVersion
    Reason: Expert analysis
    Databases release date: Today, 20/11/2024 1:03:00 pm

Quote

    Event: Object disinfected
    User: DESKTOP-733BC02\TRN
    User type: Active user
    Component: Virus Scan
    Result: Disinfected
    Result description: Disinfected
    Type: Trojan
    Name: HEUR:Trojan.Multi.Misslink.a
    Precision: Exactly
    Threat level: High
    Object type: File
    Object name: Run:Steam
    Object path: reg:\HKU\S-1-5-21-2532791771-2465090974-211415688-1000\Software\Microsoft\Windows\CurrentVersion

Quote

    Event: Task completed
    Application name: avp.exe
    Application path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.19
    User: DESKTOP-733BC02\TRN
    User type: Active user
    Component: Virus Scan
    Result: Task completed

How or what can I check or use to determine the source of this registry key that was so threatening? I want to know what malicious launch activity it was doing while disguising itself with Run:Steam.

[Berny]

@MisslinkQn Welcome

Quote

 Object path: reg:\HKU\S-1-5-21-2532791771-2465090974-211415688-1000\Software\Microsoft\Windows\CurrentVersion

Hard to tell 🤔 , i found ↓ this ↓ which is related to [SearchForm.ComboBoxKey]

Spoiler

 

[MisslinkQn]

On 11/20/2024 at 6:03 PM, Berny said:

@MisslinkQn Welcome

Hard to tell 🤔 , i found ↓ this ↓ which is related to [SearchForm.ComboBoxKey]

  Hide contents

 

Apologies but I'm not really familiar with registry specifics so I'm not sure what this means?

How would I use this to dig deeper/further

Edited November 22 by MisslinkQn

[Berny]

@MisslinkQn

During the install applications are creating registry keys. In your case, locating the malicious object related to a Reg Key  after a Kaspersky detection and disinfection is not possible

Spoiler

 

[MisslinkQn]

On 11/22/2024 at 6:10 PM, Berny said:

@MisslinkQn

During the install applications are creating registry keys. In your case, locating the malicious object related to a Reg Key  after a Kaspersky detection and disinfection is not possible

  Hide contents

 

I am just trying to figure out if it was a false positive, or if something that I had recently installed had genuinely created a malicious entry.

Kaspersky has been known to false flag many of my code caved client/exe in the past, I am trying to determine if I experienced a genuine intrustion or not

[Berny]

@MisslinkQn

15 minutes ago, MisslinkQn said:

I am just trying to figure out if it was a false positive

Please see : False detections by Kaspersky applications. What to do?

 

[MisslinkQn]

4 hours ago, Berny said:

@MisslinkQn

Please see : False detections by Kaspersky applications. What to do?

 

How do I submit the reg key for reanalysis if it's been deleted lol

In the first place I don't even know if it was a real threat, bc it's gone

[Berny]

@MisslinkQn

You have to submit one of your codes in the past  ?

[MisslinkQn]

On 11/24/2024 at 1:33 AM, Berny said:

@MisslinkQn

You have to submit one of your codes in the past  ?

Sorry, what do you mean?

[Berny]

@MisslinkQn  Hi

No 'sorry' of course ... ↓ i was referring to  ↓

On 11/23/2024 at 2:00 PM, MisslinkQn said:

Kaspersky has been known to false flag many of my code caved client/exe in the past

If the detection from the 'registry object path' is related to  your code  ,
then you could eventually submit a potential related exe object from the past 🤔 ?

[MisslinkQn]

On 11/27/2024 at 11:43 PM, Berny said:

@MisslinkQn  Hi

No 'sorry' of course ... ↓ i was referring to  ↓

If the detection from the 'registry object path' is related to  your code  ,
then you could eventually submit a potential related exe object from the past 🤔 ?

That's a separate issue, please stop conflating them.
A past false detection is not a confirmation that the incident this topic concerns is also a false detection. I need to identify the cause for this false detection

Edited November 30 by MisslinkQn

[Berny]

@MisslinkQn

7 hours ago, MisslinkQn said:

I need to identify the cause for this false detection

Please see  → False detections by Kaspersky applications. What to do?

[MisslinkQn]

Oh my god I think I'm going insane, I didn't mean to say "I need to identify the cause for this false detection"

I wanted to say "I need to identify the cause for the detection I posted in the OP"

I'm sorry I'm really tired

Edited November 30 by MisslinkQn

[Berny]

@MisslinkQn

5 minutes ago, MisslinkQn said:

I wanted to say "I need to identify the cause for the detection I posted in the OP"

Without clarification from this community please contact Kaspersky Technical Support :
→ https://support.kaspersky.com/b2c/#contacts