Suspicious Windows Defender Scan

Very suspicious Windows Defender Scan.

I sent my Lenovo Desktop in for repair to Lenovo's Depot in Louisville, KY via FedEx.
I shipped it from Gunnison, CO on Tuesday, January 30th.
It was received in Louisville, KY on Friday, February 2nd stating it was on the vehicle for delivery.
It was received by Lenovo on Monday, February 5th.

This is were it gets strange. I received my computer back from Lenovo Monday, February 12th. Last night I was reviewing a Windows Defender scan and see it had quarantined Trojan:Win32/Fuerboos.B!cl 3 times on February 2nd. My computer should have been in a box with no electricity. How would Windows Defender be able to run a scan? The same Trojan was detected and quarantined on February 12th the day I reconnected it in my office.

WD Security Scan
Does anyone have any explanation for this?
Thanks,
Mags
MagsOwnerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

William FulksSystems Analyst & WebmasterCommented:
Looks to me like the infection has not been fully removed. Defender is only getting part of it, but some other process or service is restoring it. You may want to download Malwarebytes and do a full scan with it to make sure, since that Trojan is described as a type of malware.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Fuerboos.C!cl
0
MagsOwnerAuthor Commented:
Thank you William. I understand that the Trojan was not fully removed but my question is

How did Windows Defender run a scan on my computer when it should have been in a box with no electricity. How would Windows Defender be able to run a scan?
0
ste5anSenior DeveloperCommented:
Powering down a laptop is nowdays pretty hard. Many don't power really down, they go only to a deeper sleep state. And wake-up for example for such management tasks.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

dfkeCommented:
Hi,

It shouldn't be able to . Like you said it should have been powered down while in the box but it probably wasn't.

Cheers.
0
McKnifeCommented:
Agree with ste5an.
Find out how defender scans work. Are they able to wake the computer, or not?
FInd out if the computer was turned on - the system eventlog (command: eventvwr) will help.
0
MagsOwnerAuthor Commented:
Since this was a Desktop and not a laptop with a battery how could it power or wake up?
0
McKnifeCommented:
Then, it couldn't. Still: look at eventvwr.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MagsOwnerAuthor Commented:
McKnife I am in the eventvwr...what do I look for?
0
Dmitri FarafontovLinux Systems AdminCommented:
0
MagsOwnerAuthor Commented:
OMG someone was on my computer associated with FedEx - see log

Turn-on-log.txt
0
McKnifeCommented:
That's why people encrypt their computers.
0
Dmitri FarafontovLinux Systems AdminCommented:
So what's the big deal? Honestly though you will never find out beyond a reasonable doubt what happened on those days.
0
MagsOwnerAuthor Commented:
I tried encrypting my folders/files but it was too difficult with the program I was trying to use. I did take off access to any sensitive information, signed out of OneDrive, removed my remote apps and had my password program logged out of...I hope that was enough!

McKnife - do you have an encryption program you could recommend...I may have to send it back.
0
MagsOwnerAuthor Commented:
Dmitri the BIG DEAL is that no one should have been on my computer on February 2nd...it was suppose to be on a FedEx truck. Plus it contracted a Trojan!!!!!!!!!!!!!!!!!!!!!!!!!!!
0
Dmitri FarafontovLinux Systems AdminCommented:
Windows Bitlocker comes to mind if your OS is at a least Professional. TrueCrypt also would allow you to do hidden containers. I understand you are frustrated with what had happened however, there is not much you can really do now.
0
MagsOwnerAuthor Commented:
Thanks Dmiktri...I have used TrueCrypt in the past. I will use that if I need to send my computer back to Lenovo.

I am on the phone with FedEx now to alert them to the situation...this is not acceptable!
0
McKnifeCommented:
@Mags, will these recipients need to be able to boot your machine for whatever they need to do with it?
0
MagsOwnerAuthor Commented:
OK...just got off the phone with FedEx...tracking showed it was delivered to Lenovo on Monday the 5th but their records showed 2 delivery dates, the 2nd and the 5th. I double checked my Lenovo records and they indeed repaired it on the 2nd. Phew...at least I know that FedEx didn't turn on my computer.

Any chance I got the Trojan from Lenovo or may it had already been on my machine even though scans didn't pick it up until the 2nd?
0
Dmitri FarafontovLinux Systems AdminCommented:
There is no 100% sure fire way to have this confirmed.
0
McKnifeCommented:
Win defender is updated constantly. So it could very well be that it did not recognize the virus before, but it was already there.
0
MagsOwnerAuthor Commented:
Thank you for your help.
Mags
0
MagsOwnerAuthor Commented:
I appreciate your help this morning and am thankful that my computer was not accessed by an unauthorized user.

My only frustrations were that my question was not thoroughly read before answering and Dmitri's comment, "So what's the big deal?". It is a BIG DEAL if a computer is thought to have had unauthorized access. Thankfully it had not.

Thank you for the new tools - using event viewer and the app - TurnOn Times View.

'Til later!
Mags
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.