Jump to content

A Wacatac Trojan residing on an ejected Flash Drive.

Pochatok

By Pochatok
in Resolved Malware Removal Logs

 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

Pochatok

Pochatok

Posted
Posted

Hi!

I haven't been able to find any relevant articles on my issue online, so I'll try my luck here. Thank you if you are reading this!

Lately, my (Windows10) Windows Security has been continuously detecting this, for a few times per day:

Trojan:Win32/Wacatac.B!ml with the location of E:\y-Progs64\Pass-Key\XP-Key-Reader.exe

I have removed the malware multiple times, but it keeps coming back. Today, I installed Malwarebytes to help me get rid of the virus, but it has failed to detect it(although it found other issues).

Here's the plot twist: I have no E:/ in my system right now. Last time I used a flash drive was past Friday, and since around then the malware has been reappearing. Is this a glitch, and if not, then should I take care of it the usual way- by following one of the instructions to remove Wacatac I see online?

Thank you very much for your time!

Link to post
Share on other sites
Pochatok

Pochatok

Posted
  • Author
Posted

Hi!

I haven't been able to find any relevant articles on my issue online, so I'll try my luck here. Thank you if you are reading this!

Lately, my (Windows10) Windows Security has been continuously detecting this, for a few times per day:

Trojan:Win32/Wacatac.B!ml with the location of E:\y-Progs64\Pass-Key\XP-Key-Reader.exe

I have removed the malware multiple times, but it keeps coming back. Today, I installed Malwarebytes to help me get rid of the virus, but it has failed to detect it(although it found other issues).

Here's the plot twist: I have no E:/ in my system right now. Last time I used a flash drive was past Friday, and since around then the malware has been reappearing. Is this a glitch, and if not, then should I take care of it the usual way- by following one of the instructions to remove Wacatac I see online?

Thank you very much for your time!

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hi.     :welcome:

It appears as if the Microsoft Defender antivirus is notifying you about a undealt with item it tagged sometime in the past. At times, clearing a old entry out of the scan history of Microsoft Defender can be a challenge.  The more important point is, Whether Microsoft Defender is flagging a actual current threat.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please select "Full" scan.

Let me know the result of this.

The log is named MSERT.log 

the log will be at  C:\Windows\debug\msert.log

Please attach that log with your reply.

 

  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello.  Bravo.  No infection / no malware found by the Microsoft Safety Scanner.

Let me suggest that you run one new special scan.

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

  • Like 1
Link to post
Share on other sites
Pochatok

Pochatok

Posted
  • Author
Posted
4 hours ago, Maurice Naggar said:

Hello.  Bravo.  No infection / no malware found by the Microsoft Safety Scanner.

Let me suggest that you run one new special scan.

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

Great, thank you so much! You're incredibly helpful!! 

I will try this in about 12 hours or so as I will shut my PC off soon for the rest of the day.

Cheers,

Po

Link to post
Share on other sites
Pochatok

Pochatok

Posted
  • Author
Posted

Hi @Maurice Naggar, here is the log: log1.txt

No viruses found, although there is some odd stuff from the log. Thank you very much!

However, as I just checked, Windows Security still detects that Wacatac on E:/ that no longer exists. I downloaded an autorun viewer, and the only questionable thing was the "Known DLLs", which I think is okay? 

Let me know if this is it,

Po

Link to post
Share on other sites
Pochatok

Pochatok

Posted
  • Author
Posted

Hi @Maurice Naggar, here is the log: log1.txt

No viruses found, although there is some odd stuff from the log. Thank you very much!

However, as I just checked, Windows Security still detects that Wacatac on E:/ that no longer exists. I downloaded an autorun viewer, and the only questionable thing was the "Known DLLs", which I think is okay? 

Let me know if this is it,

Po

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

All the 19 removed items in the Log file report were in a temporary file area of the system.  All removed.

What it sounds like is that Windows Defender is re-advising you of past ( historical) detections.   You mentioned they had been flagged on a removable device.

You should just do a new scan with the Microsoft Windows Defender antivirus  and , if anything is flagged, deal with it then at the time of detection.

I want to be sure that your Windows 10 is able to do a scan with the Windows 10 Windows Defender antivirus.   Just do a FULL scan with Windows Defender.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command 

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate

and tap Enter-key.   This should do a definitions update run for Microsoft Windows Defender & should be very quick.

NEXT

On the command prompt-windows,  Copy & Paste this command 

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2

and press Enter-key.   This will begin a Full scan mode run of Windows Defender antivirus.

Have lots of patience.  The run may take an hour or two or more   ( depending on how many files are on the system.

 

Edited by Maurice Naggar
  • Thanks 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Good day to you.  I hope yu are doing well.  Please be sure you do what I listed before & relay the result to me.  This here is the next step to gather a fresh set of reports. 

Please download the Farbar Recovery Scan Tool 64-bit and save it to your desktop.

Right-click on FRST64.exe     and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.
 
Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen.
Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.
 
Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 
 
Click Yes when the  *disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.
 
Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.  Have patience since it may take several minutes to gather the reports.
 

image.png.5d47975010636d1d032768cefa8d6625.png

The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.
 
Please attach these 2 files to your next reply.   I need these reports for review & to guide you forward.  We will have more to do later.
Thank you.     😎

  • Thanks 1
Link to post
Share on other sites
Pochatok

Pochatok

Posted
  • Author
Posted
19 hours ago, Maurice Naggar said:

All the 19 removed items in the Log file report were in a temporary file area of the system.  All removed.

What it sounds like is that Windows Defender is re-advising you of past ( historical) detections.   You mentioned they had been flagged on a removable device.

You should just do a new scan with the Microsoft Windows Defender antivirus  and , if anything is flagged, deal with it then at the time of detection.

I want to be sure that your Windows 10 is able to do a scan with the Windows 10 Windows Defender antivirus.   Just do a FULL scan with Windows Defender.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command 


"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate

and tap Enter-key.   This should do a definitions update run for Microsoft Windows Defender & should be very quick.

NEXT

On the command prompt-windows,  Copy & Paste this command 


"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2

and press Enter-key.   This will begin a Full scan mode run of Windows Defender antivirus.

Have lots of patience.  The run may take an hour or two or more   ( depending on how many files are on the system.

 

Good Afternoon!

I followed these instructions, and the scan came out clear. Here is a screenshot:image.png.81b252ad3142ec35e336ca5df817d75d.png

Will begin the next steps in a bit, thank you very much for this vast array of assistance!

Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted

I am looking forward to getting the 2 report files previously mentioned  ( above).

These here are other steps / actions for you to do.  The goal here is to clear away all prior history notifications from the Microsoft Windows Defender antivirus.

First:

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

.

Next:

Open Windows File Explorer.   Go to the folder location   C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service

In that folder, Delete all files  and sub-folders that are present in that folder "Service"

Once that is done, Microsoft Windows Defender ought to cease showing any old notices about the Wacatac  ....or any other old previous detections.

You may need to do a Windows Restart  just to get a new session.    Please advise me after all this.

  • Thanks 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks for the FRST reports.  For your information, on the 4th  Windows Defender antivirus detected 1 exe file  as potentially unwanted application  ( that is to say  potentially harmful)    C:\Users\tusha\AppData\Roaming\uTorrent\updates\3.5.5_45838.exe

As to my last suggestion, do not forget my post here https://forums.malwarebytes.com/topic/268773-a-wacatac-trojan-residing-on-an-ejected-flash-drive/?do=findComment&comment=1430851

Also:  Make 1 other adjustment:   

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

Close Malwarebytes when done.

  • Thanks 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

2nd reply for Thursday afternoon the 7th Jan.

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.
Download SecurityCheck by glax24 from herehttps://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

and save the tool on the desktop.

If Windows's  SmartScreen block that with a message-window, then
Click on the MORE INFO spot and over-ride that and allow it to proceed.
This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

and lastly, when you reply, Also let me know about the overall situation of this Windows system.

  • Like 1
Link to post
Share on other sites
Pochatok

Pochatok

Posted
  • Author
Posted

Great, thank you! All done with both Malvarebytes and Securitycheck, here is the log for the latter: SecurityCheck.txt

Cheers,

Po

1 hour ago, Maurice Naggar said:

Also let me know about the overall situation of this Windows system

Not sure what you mean exactly, but my PC is functioning(and has been) fairly well for the last few months or so, since I uninstalled Kaspersky and most of my games, and cleaned up a lot of older files and folders. 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello Po.   Thanks for the SecurityCheck report.  It shows a few apps out of date, like WinRAR, Zoom, Skype, Spotify.  You need to do update checks for each.

It also shows the Chrome browser version is not the latest release, as well as the Edge browser as well.

Lets have you address the web browsers first.

Start Chrome browser.  Click the Settings icon at the top right and select HELP, then select "About Google Chrome:.

See to it that it does a check run for updates.  Follow all prompts after that.  When all done, it should show Chrome Version 87.0.4280.141

[   2   ]

Open this link in your Chrome   browser:   To install the Malwarebytes Browser Guard

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

[    3   ]

For the Microsoft Windows 10 EDGE browser:

Start EDGE.click the triple-dot ...  at the top right corner so that you get a list of control options

Then select Help and Feedback.   Then select "Aboit Microsoft Edge".

Then watch and insure that it does a update check.  When that finishes, it should show Version 87.0.664.75

[    4    ]

Still on EDGE, lets get the Malwarebytes Browser Guard for it.

Open this link in your EDGE   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.    Let me know when these steps are done.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

That is good.  You are welcome.  Now then, to get back to the findings by the SecurityCheck tool.  I suggest that you insure to do Update /  checks on these utilities / apps.

Microsoft Silverlight v.5.1.50907.0  Warning! Download Update

WinRAR 5.40 (64-bit) v.5.40.0  Warning! Download Update

Zoom v.5.3.2 (53291.1011)  Warning! Download Update
Skype version 8.63 v.8.63  Warning! Download Update

Spotify v.1.1.46.916.g416cacf1  Warning! Download Update

 

and, there are 2 apps flagged as unwanted
Unity Web Player v.5.3.8f2 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.
ASUS Command - PC Cleanup v.2.01.18 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it

Now then, as to the Microsoft Windows Version.  There is a newer more recent release of Version 20H2 Windows 10 that you should get and apply.

Do that thru the regular Windows Update method built into the Windows Settings.

The suggestion I have is to go to the Start menu, click the Windows Settings icon. Select Update & Security.   on Windows Update  tab, click on "Check for Updates".

It may offer you a Cumulative Update or an Enablement package update for 20H2

Note that the display will show the new build in a new way, in the middle of the display.  You will need to click on the blue line marked "Download and install now"  when ready.

NOTES: The original issue that started this case is gone.  The current intent here is to insure that Windows Version is the latest release from Microsoft, and that your application programs have the most recent security updates.

Edited by Maurice Naggar
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello.  Good morning.  Beyond steps to insure that Windows Version is the latest, there is no other outstanding issues.

Hello.

To remove the FRST  tool & its work files, do this.  Go to your Desktop folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

 

Delete msert.exe

Delete the esetonlinescanner.exe

Any other download file I had you download, you may delete.

I wish you all the best.  Stay safe.

Sincerely,

Maurice

  • Like 1
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.