Jump to content

Astrowiz

Members
 View Profile  See their activity

  • Posts

    6

  • Joined

  • Last visited

 Content Type 

Posts posted by Astrowiz

    RTP Trojan (wermreport.exe and wermgpd.exe)

    in Resolved Malware Removal Logs

    Posted

    Thank you for getting back to me.  This was a new install of Malwarebytes on the workstation and the RTP alerts after the install is what triggered this thread.  

    *******

    You wrote:  "Kaspersky also blocks this IP - Why or what is calling this IP we'd need to do some more research to see. We can probably use TCPVIEW from Microsoft for that"  

    -- I installed TCPView and monitored most of today.  That IP never came up in the monitor.  It appears to only make contact to "x.x.175.96 bacloud.com" when a user logs in.  

    ********

    Is there a way I can identify what tasks are being reference below?  Did a quick search of the registry and only found two entries (screenshots submitted).  I can't tell what Task this is referencing.

    "C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}" was unlocked. <==== ATTENTION (tasks should not normally be locked)

    "C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}" was unlocked. <==== ATTENTION (tasks should not normally be locked)

    -- I am reviewing the Task Scheduler items to see which ones are configured to trigger at logon.

    ******

    S3 NAVENG; \??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.9.3.13\Definitions\SDSDefs\20171006.017\NAVENG.SYS [X]
    S3 NAVEX15; \??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.9.3.13\Definitions\SDSDefs\20171006.017\NAVEX15.SYS [X]

    --  These are left over from an old installation of Symantec and will need to be cleaned off.  The Webroot installation is new, so it is odd that it would reference old drivers.

    *******

    "C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot" could not be unlocked. <==== ATTENTION

    I use a 3rd party patch management program and the service is currently set to Manual.  Is it possible the patch management program has something to do with this entry?

    ********

    Thanks again for all your valued insight.  The way this is looking, I will most likely wipe the workstation and start with a fresh install since we can't identify what is making that call out with "wermgpd and wermreport" unless you have additional ideas on how to locate the source.

    Reg1.jpg

    Reg2.jpg

    RTP Trojan (wermreport.exe and wermgpd.exe)

    in Resolved Malware Removal Logs

    Posted

    Malwarebytes full system scans are coming up clean for workstations and servers on this network, but when a user logs in the RTP is popping up a Trojan block referencing  "wermreport.exe" and "wermgpd.exe".  When we browse to C:\Windows\System32\wermgpd.exe or wermreport.exe don't exist.  I have attached FRST, Addition and RTP logs.  

    -Log Details-
    Protection Event Date: 8/4/20
    Protection Event Time: 1:32 PM
    Log File: 6774a778-d678-11ea-a844-509a4c1b0b20.json

    -Software Information-
    Version: 4.1.2.73
    Components Version: 1.0.990
    Update Package Version: 1.0.27939

    -System Information-
    OS: Windows 10 (Build 15063.1418)
    CPU: x64
    File System: NTFS
    User: System

    -Blocked Website Details-
    Malicious Website: 1
    , C:\Windows\System32\wermreport.exe, Blocked, -1, -1, 0.0.0

    -Website Data-
    Category: Trojan
    Domain: 
    IP Address: 88.119.175.96
    Port: 443
    Type: Outbound
    File: C:\Windows\System32\wermreport.exe


    -Log Details-
    Protection Event Date: 8/4/20
    Protection Event Time: 10:55 AM
    Log File: 8700f2a6-d662-11ea-8255-000c29d22054.json

    -Software Information-
    Version: 4.1.2.73
    Components Version: 1.0.990
    Update Package Version: 1.0.27937
     

    -System Information-
    OS: Windows Server 2012 R2
    CPU: x64
    File System: NTFS
    User: System

    -Blocked Website Details-
    Malicious Website: 1
    , C:\Windows\System32\wermgpd.exe, Blocked, -1, -1, 0.0.0

    -Website Data-
    Category: Trojan
    Domain: 
    IP Address: 88.119.175.96
    Port: 443
    Type: Outbound
    File: C:\Windows\System32\wermgpd.exe

    Any insight on removal is greatly appreciated.

    Addition.txt FRST.txt Malwarebytes-Workstation.txt MalwarebytesLog-Server.txt

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.