Astrowiz

Ran the Uninstall with the support tool you provided. Post reboot it installed the latest version. I ran a new scan and there were 0 detections. Log file attached. 8-10-2020 scan.txt

Scan completed with no detections.

One additional note, I referenced the links you supplied regarding Miari botnet and it appears to be associated with Linux and IoT devices using the Linux kernal. Did I miss one that said it could impact Windows OS as well? Thx again!

Thank you for getting back to me. This was a new install of Malwarebytes on the workstation and the RTP alerts after the install is what triggered this thread. ******* You wrote: "Kaspersky also blocks this IP - Why or what is calling this IP we'd need to do some more research to see. We can probably use TCPVIEW from Microsoft for that" -- I installed TCPView and monitored most of today. That IP never came up in the monitor. It appears to only make contact to "x.x.175.96 bacloud.com" when a user logs in. ******** Is there a way I can identify what tasks are being reference below? Did a quick search of the registry and only found two entries (screenshots submitted). I can't tell what Task this is referencing. "C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}" was unlocked. <==== ATTENTION (tasks should not normally be locked) "C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}" was unlocked. <==== ATTENTION (tasks should not normally be locked) -- I am reviewing the Task Scheduler items to see which ones are configured to trigger at logon. ****** S3 NAVENG; \??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.9.3.13\Definitions\SDSDefs\20171006.017\NAVENG.SYS [X]S3 NAVEX15; \??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.9.3.13\Definitions\SDSDefs\20171006.017\NAVEX15.SYS [X] -- These are left over from an old installation of Symantec and will need to be cleaned off. The Webroot installation is new, so it is odd that it would reference old drivers. ******* "C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot" could not be unlocked. <==== ATTENTION I use a 3rd party patch management program and the service is currently set to Manual. Is it possible the patch management program has something to do with this entry? ******** Thanks again for all your valued insight. The way this is looking, I will most likely wipe the workstation and start with a fresh install since we can't identify what is making that call out with "wermgpd and wermreport" unless you have additional ideas on how to locate the source.

Malwarebytes full system scans are coming up clean for workstations and servers on this network, but when a user logs in the RTP is popping up a Trojan block referencing "wermreport.exe" and "wermgpd.exe". When we browse to C:\Windows\System32\wermgpd.exe or wermreport.exe don't exist. I have attached FRST, Addition and RTP logs. -Log Details- Protection Event Date: 8/4/20 Protection Event Time: 1:32 PM Log File: 6774a778-d678-11ea-a844-509a4c1b0b20.json -Software Information- Version: 4.1.2.73 Components Version: 1.0.990 Update Package Version: 1.0.27939 -System Information- OS: Windows 10 (Build 15063.1418) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Windows\System32\wermreport.exe, Blocked, -1, -1, 0.0.0 -Website Data- Category: Trojan Domain: IP Address: 88.119.175.96 Port: 443 Type: Outbound File: C:\Windows\System32\wermreport.exe -Log Details- Protection Event Date: 8/4/20 Protection Event Time: 10:55 AM Log File: 8700f2a6-d662-11ea-8255-000c29d22054.json -Software Information- Version: 4.1.2.73 Components Version: 1.0.990 Update Package Version: 1.0.27937 -System Information- OS: Windows Server 2012 R2 CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Windows\System32\wermgpd.exe, Blocked, -1, -1, 0.0.0 -Website Data- Category: Trojan Domain: IP Address: 88.119.175.96 Port: 443 Type: Outbound File: C:\Windows\System32\wermgpd.exe Any insight on removal is greatly appreciated. Addition.txt FRST.txt Malwarebytes-Workstation.txt MalwarebytesLog-Server.txt