Pochatok Posted January 4, 2021 ID:1430434 Share Posted January 4, 2021 Hi! I haven't been able to find any relevant articles on my issue online, so I'll try my luck here. Thank you if you are reading this! Lately, my (Windows10) Windows Security has been continuously detecting this, for a few times per day: Trojan:Win32/Wacatac.B!ml with the location of E:\y-Progs64\Pass-Key\XP-Key-Reader.exe I have removed the malware multiple times, but it keeps coming back. Today, I installed Malwarebytes to help me get rid of the virus, but it has failed to detect it(although it found other issues). Here's the plot twist: I have no E:/ in my system right now. Last time I used a flash drive was past Friday, and since around then the malware has been reappearing. Is this a glitch, and if not, then should I take care of it the usual way- by following one of the instructions to remove Wacatac I see online? Thank you very much for your time! Link to post Share on other sites More sharing options...
Pochatok Posted January 4, 2021 Author ID:1430435 Share Posted January 4, 2021 Hi! I haven't been able to find any relevant articles on my issue online, so I'll try my luck here. Thank you if you are reading this! Lately, my (Windows10) Windows Security has been continuously detecting this, for a few times per day: Trojan:Win32/Wacatac.B!ml with the location of E:\y-Progs64\Pass-Key\XP-Key-Reader.exe I have removed the malware multiple times, but it keeps coming back. Today, I installed Malwarebytes to help me get rid of the virus, but it has failed to detect it(although it found other issues). Here's the plot twist: I have no E:/ in my system right now. Last time I used a flash drive was past Friday, and since around then the malware has been reappearing. Is this a glitch, and if not, then should I take care of it the usual way- by following one of the instructions to remove Wacatac I see online? Thank you very much for your time! Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 4, 2021 ID:1430448 Share Posted January 4, 2021 Hi. It appears as if the Microsoft Defender antivirus is notifying you about a undealt with item it tagged sometime in the past. At times, clearing a old entry out of the scan history of Microsoft Defender can be a challenge. The more important point is, Whether Microsoft Defender is flagging a actual current threat. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Please select "Full" scan. Let me know the result of this. The log is named MSERT.log the log will be at C:\Windows\debug\msert.log Please attach that log with your reply. 1 Link to post Share on other sites More sharing options...
Pochatok Posted January 4, 2021 Author ID:1430505 Share Posted January 4, 2021 msert.log Here is the log, thank you so much for being so nimble with the reply! The scan came out clean! Thank you, Po Link to post Share on other sites More sharing options...
Pochatok Posted January 4, 2021 Author ID:1430506 Share Posted January 4, 2021 msert.log Here is the log, thank you so much for being so nimble with the reply! The scan came out clean! Thank you, Po Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 4, 2021 ID:1430511 Share Posted January 4, 2021 Hello. Bravo. No infection / no malware found by the Microsoft Safety Scanner. Let me suggest that you run one new special scan. I would suggest a free scan with the ESET Online Scanner Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. 1 Link to post Share on other sites More sharing options...
Pochatok Posted January 5, 2021 Author ID:1430536 Share Posted January 5, 2021 4 hours ago, Maurice Naggar said: Hello. Bravo. No infection / no malware found by the Microsoft Safety Scanner. Let me suggest that you run one new special scan. I would suggest a free scan with the ESET Online Scanner Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. Great, thank you so much! You're incredibly helpful!! I will try this in about 12 hours or so as I will shut my PC off soon for the rest of the day. Cheers, Po Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 5, 2021 ID:1430604 Share Posted January 5, 2021 OK. I will look forward to getting the scan-report file. Cheers. 1 Link to post Share on other sites More sharing options...
Pochatok Posted January 5, 2021 Author ID:1430619 Share Posted January 5, 2021 Hi @Maurice Naggar, here is the log: log1.txt No viruses found, although there is some odd stuff from the log. Thank you very much! However, as I just checked, Windows Security still detects that Wacatac on E:/ that no longer exists. I downloaded an autorun viewer, and the only questionable thing was the "Known DLLs", which I think is okay? Let me know if this is it, Po Link to post Share on other sites More sharing options...
Pochatok Posted January 5, 2021 Author ID:1430620 Share Posted January 5, 2021 Hi @Maurice Naggar, here is the log: log1.txt No viruses found, although there is some odd stuff from the log. Thank you very much! However, as I just checked, Windows Security still detects that Wacatac on E:/ that no longer exists. I downloaded an autorun viewer, and the only questionable thing was the "Known DLLs", which I think is okay? Let me know if this is it, Po Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 5, 2021 ID:1430643 Share Posted January 5, 2021 (edited) All the 19 removed items in the Log file report were in a temporary file area of the system. All removed. What it sounds like is that Windows Defender is re-advising you of past ( historical) detections. You mentioned they had been flagged on a removable device. You should just do a new scan with the Microsoft Windows Defender antivirus and , if anything is flagged, deal with it then at the time of detection. I want to be sure that your Windows 10 is able to do a scan with the Windows 10 Windows Defender antivirus. Just do a FULL scan with Windows Defender. Open an elevated command prompt window i.e. run Command Prompt as an administrator . It is best to use the Windows Copy ( CTRL+ C ) and paste ( CTRL+V ) for the whole line, as-is To Get the elevated command prompt, press Windows-key + X key and then selected Command prompt ( Admin ) On that command prompt, Copy & Paste this command "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate and tap Enter-key. This should do a definitions update run for Microsoft Windows Defender & should be very quick. NEXT On the command prompt-windows, Copy & Paste this command "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2 and press Enter-key. This will begin a Full scan mode run of Windows Defender antivirus. Have lots of patience. The run may take an hour or two or more ( depending on how many files are on the system. Edited January 5, 2021 by Maurice Naggar 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 6, 2021 ID:1430809 Share Posted January 6, 2021 Good day to you. I hope yu are doing well. Please be sure you do what I listed before & relay the result to me. This here is the next step to gather a fresh set of reports. Please download the Farbar Recovery Scan Tool 64-bit and save it to your desktop. Right-click on FRST64.exe and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run. Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen. Click YES when prompted by Windows U A C prompt to allow it to run. Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway. Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. Click Yes when the *disclaimer* appears in FRST. The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use. Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked). Press Scan button and wait. Have patience since it may take several minutes to gather the reports. The tool will produce 2 logfiles on your desktop: FRST.txt , Addition.txt Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files. Please attach these 2 files to your next reply. I need these reports for review & to guide you forward. We will have more to do later. Thank you. 😎 1 Link to post Share on other sites More sharing options...
Pochatok Posted January 6, 2021 Author ID:1430814 Share Posted January 6, 2021 19 hours ago, Maurice Naggar said: All the 19 removed items in the Log file report were in a temporary file area of the system. All removed. What it sounds like is that Windows Defender is re-advising you of past ( historical) detections. You mentioned they had been flagged on a removable device. You should just do a new scan with the Microsoft Windows Defender antivirus and , if anything is flagged, deal with it then at the time of detection. I want to be sure that your Windows 10 is able to do a scan with the Windows 10 Windows Defender antivirus. Just do a FULL scan with Windows Defender. Open an elevated command prompt window i.e. run Command Prompt as an administrator . It is best to use the Windows Copy ( CTRL+ C ) and paste ( CTRL+V ) for the whole line, as-is To Get the elevated command prompt, press Windows-key + X key and then selected Command prompt ( Admin ) On that command prompt, Copy & Paste this command "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate and tap Enter-key. This should do a definitions update run for Microsoft Windows Defender & should be very quick. NEXT On the command prompt-windows, Copy & Paste this command "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2 and press Enter-key. This will begin a Full scan mode run of Windows Defender antivirus. Have lots of patience. The run may take an hour or two or more ( depending on how many files are on the system. Good Afternoon! I followed these instructions, and the scan came out clear. Here is a screenshot: Will begin the next steps in a bit, thank you very much for this vast array of assistance! Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted January 6, 2021 Solution ID:1430851 Share Posted January 6, 2021 I am looking forward to getting the 2 report files previously mentioned ( above). These here are other steps / actions for you to do. The goal here is to clear away all prior history notifications from the Microsoft Windows Defender antivirus. First: What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out. There is a how-to at Tenforums. Use either option one or two or three https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html . Next: Open Windows File Explorer. Go to the folder location C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service In that folder, Delete all files and sub-folders that are present in that folder "Service" Once that is done, Microsoft Windows Defender ought to cease showing any old notices about the Wacatac ....or any other old previous detections. You may need to do a Windows Restart just to get a new session. Please advise me after all this. 1 Link to post Share on other sites More sharing options...
Pochatok Posted January 7, 2021 Author ID:1431104 Share Posted January 7, 2021 Good Afternoon, here are the two files from your previous post, as requested:Addition.txtFRST.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 7, 2021 ID:1431111 Share Posted January 7, 2021 Thanks for the FRST reports. For your information, on the 4th Windows Defender antivirus detected 1 exe file as potentially unwanted application ( that is to say potentially harmful) C:\Users\tusha\AppData\Roaming\uTorrent\updates\3.5.5_45838.exe As to my last suggestion, do not forget my post here https://forums.malwarebytes.com/topic/268773-a-wacatac-trojan-residing-on-an-ejected-flash-drive/?do=findComment&comment=1430851 Also: Make 1 other adjustment: Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". Close Malwarebytes when done. 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 7, 2021 ID:1431117 Share Posted January 7, 2021 2nd reply for Thursday afternoon the 7th Jan. I would like you to run a tool named SecurityCheck to inquire on the current-security-update status of some applications. Download SecurityCheck by glax24 from herehttps://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt and lastly, when you reply, Also let me know about the overall situation of this Windows system. 1 Link to post Share on other sites More sharing options...
Pochatok Posted January 7, 2021 Author ID:1431121 Share Posted January 7, 2021 After following your latest instructions, I completed a new scan of the system via Windows Defender, and no new threats were found. Yay? Let me know, and thank you so much, again, Po Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 7, 2021 ID:1431123 Share Posted January 7, 2021 (edited) Cool. If you will run the SecurityCheck, I can then review to see if there are some out of date apps that have a impact on security. Also to see just what is the resident antivirus program. Edited January 7, 2021 by Maurice Naggar 1 Link to post Share on other sites More sharing options...
Pochatok Posted January 7, 2021 Author ID:1431134 Share Posted January 7, 2021 Great, thank you! All done with both Malvarebytes and Securitycheck, here is the log for the latter: SecurityCheck.txt Cheers, Po 1 hour ago, Maurice Naggar said: Also let me know about the overall situation of this Windows system Not sure what you mean exactly, but my PC is functioning(and has been) fairly well for the last few months or so, since I uninstalled Kaspersky and most of my games, and cleaned up a lot of older files and folders. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 8, 2021 ID:1431231 Share Posted January 8, 2021 Hello Po. Thanks for the SecurityCheck report. It shows a few apps out of date, like WinRAR, Zoom, Skype, Spotify. You need to do update checks for each. It also shows the Chrome browser version is not the latest release, as well as the Edge browser as well. Lets have you address the web browsers first. Start Chrome browser. Click the Settings icon at the top right and select HELP, then select "About Google Chrome:. See to it that it does a check run for updates. Follow all prompts after that. When all done, it should show Chrome Version 87.0.4280.141 [ 2 ] Open this link in your Chrome browser: To install the Malwarebytes Browser Guard https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee Then proceed with the setup. [ 3 ] For the Microsoft Windows 10 EDGE browser: Start EDGE.click the triple-dot ... at the top right corner so that you get a list of control options Then select Help and Feedback. Then select "Aboit Microsoft Edge". Then watch and insure that it does a update check. When that finishes, it should show Version 87.0.664.75 [ 4 ] Still on EDGE, lets get the Malwarebytes Browser Guard for it. Open this link in your EDGE browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee Then proceed with the setup. Let me know when these steps are done. Link to post Share on other sites More sharing options...
Pochatok Posted January 8, 2021 Author ID:1431267 Share Posted January 8, 2021 Done, thank you! Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 9, 2021 ID:1431356 Share Posted January 9, 2021 (edited) That is good. You are welcome. Now then, to get back to the findings by the SecurityCheck tool. I suggest that you insure to do Update / checks on these utilities / apps. Microsoft Silverlight v.5.1.50907.0 Warning! Download Update WinRAR 5.40 (64-bit) v.5.40.0 Warning! Download Update Zoom v.5.3.2 (53291.1011) Warning! Download Update Skype version 8.63 v.8.63 Warning! Download Update Spotify v.1.1.46.916.g416cacf1 Warning! Download Update and, there are 2 apps flagged as unwanted Unity Web Player v.5.3.8f2 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering. ASUS Command - PC Cleanup v.2.01.18 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it Now then, as to the Microsoft Windows Version. There is a newer more recent release of Version 20H2 Windows 10 that you should get and apply. Do that thru the regular Windows Update method built into the Windows Settings. The suggestion I have is to go to the Start menu, click the Windows Settings icon. Select Update & Security. on Windows Update tab, click on "Check for Updates". It may offer you a Cumulative Update or an Enablement package update for 20H2 Note that the display will show the new build in a new way, in the middle of the display. You will need to click on the blue line marked "Download and install now" when ready. NOTES: The original issue that started this case is gone. The current intent here is to insure that Windows Version is the latest release from Microsoft, and that your application programs have the most recent security updates. Edited January 9, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
Pochatok Posted January 11, 2021 Author ID:1431556 Share Posted January 11, 2021 Hi! Thank you very much! I am in the progress of updating Windows; the other apps have been either updated or uninstalled. Let me know if there is anything else, Po Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 11, 2021 ID:1431598 Share Posted January 11, 2021 Hello. Good morning. Beyond steps to insure that Windows Version is the latest, there is no other outstanding issues. Hello. To remove the FRST tool & its work files, do this. Go to your Desktop folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe . Then run that ( double click on it) to begin the cleanup process. Delete msert.exe Delete the esetonlinescanner.exe Any other download file I had you download, you may delete. I wish you all the best. Stay safe. Sincerely, Maurice 1 Link to post Share on other sites More sharing options...
Recommended Posts