Jump to content

Teamviewer Login - Unknown Source - Detected: Trojan:Win32/Wacatac.B!ml


Recommended Posts

I was cooking dinner a couple of nights ago and heard a notification sound from my PC came over to it to see a disconnect message window from Teamviewer showing that someone had just disconnected from my machine. I checked the recent history and logs to see that a user named "abcdef" has been logged into my system. This user is not on my list of users. So I immediately uninstalled Teamviewer from my PC. 

Today I noticed that Malwarebytes was not running and tried to open it manually and got a window popup stating "The item referred to by this shortcut cannot be accessed. You may not have the appropriate permissions." 

I then ran Rkill which I attached the log below. I was then able to start MWB and MS Windows Defender ran a scan with each. MWB found about 20 items. I am including the log and MS Windows found the above named Trojan.

Went through MWB process and to quarantine all items, then fix. It asked for a system restart which I allowed, upon restart MSB told me it had fixed 19 of the issues but 1 was remaining with a Removal Failed note.

Malware.AI.1757031565, C:\PROGRAMDATA\RUNTIMEBROKER.EXE, Removal Failed

So then I ran FRST64.exe and did a scan. I have attached all logs below. MWB is no longer detecting anything on scan but Windows Defender is still detecting and showing Remediation Incomplete. I am afraid to change any of my passwords as some searches come back with keylogger and remote access for this Trojan. Please help me out if you can.

I am getting weird behavior from my keyboard input in some applications/windows as well. Like Enter wont work in Calc.exe to complete a calculation. Cant type in the search b ar in any Windows Explorer window, can't use keyboard to jump to file names in Windows Explorer and other oddities.

MWB Removal Failed.txt Rkill.txt Addition.txt FRST.txt

Link to post
Share on other sites

Hi
 
Welcome :)
 
I'll be helping you with your computer.
 
Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)

Let's begin... :)

Download the enclosed file and save it in the same location FRST64 is saved. Open FRST64 as an Administrator and click on the Fix button.

When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach the file in your next reply.
 
Download AdwCleaner and save it to your desktop.

  • Double click AdwCleaner.exe to run it.
  • Click Scan Now ...
  • When the scan has finished a Scan Results window will open.
  • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Files tab ...
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
  • A Notepad file will open containing the results of the scan.

Please attach the file in your next reply.

Fixlist.txt

Link to post
Share on other sites

AdwCleaner - Clean

  • Double click AdwCleaner.exe to run it.
  • Click Scan Now
  • When the scan has finished a Scan Results window will open.
  • Please check all boxes and then click Quarantine
    • Click Next
    • If any pre-installed software was found on your machine, a prompt window will open ...
      • Click OK to close it
    • Check any pre-installed software items you want to remove (if they're not causing you a problem I recommend you don't select any)
    • Click Quarantine
  • A prompt to save your work will appear ...
    • Click Continue when you're ready to proceed.
  • A prompt to restart your computer will appear ...
    • Click Restart Now
  • Once your computer has restarted ...
    • If it doesn't open automatically, please start AdwCleaner ...
    • Click the Log Files tab ...
    • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
    • A Notepad file will open containing the results of the removal.
    • Please attach the file in your next reply.

Re-scan with FRST64 and attach its logs.

Link to post
Share on other sites

Download the enclosed file and save it in the same location FRST64 is saved. Open FRST64 as an Administrator and click on the Fix button.

When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach the file in your next reply.

 

How is the computer doing?

 

Fixlist.txt

Edited by JSntgRvr
Link to post
Share on other sites

If you wish we can run some utilities to check for system files corruption.

 

Download the enclosed file and save it in the same location FRST64 is saved. Open FRST64 as an Administrator and click on the Fix button.

When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach the file in your next reply.

Fixlist.txt

Edited by JSntgRvr
typo
Link to post
Share on other sites

Everything seems fine, except for the calculator app. It doesn't recognize Enter (normal or keypad) or the Backspace key (yes I have tried Resetting in windows App & Features). No reason to believe it is related other then my pc not recognizing my SteelSeries Apex400 which is part of what alerted me there might be an issue with my PC.

Link to post
Share on other sites

Found this on the Windows forums and it worked to fix all my input issues. Im guessing whatever I had been infected by turned this off in Windows. 

:QUOTE:

Hello guys and search for a solution for this problem and its was the simple of things.

I don´t know why it works but try it and tell if it works for you guys too.

Press Win + R (to open Run )
copy paste and press enter to run this program. "C:\Windows\system32\ctfmon.exe". it brings back the language bar and for me it allowed me to type in windows search, start menu and WINDOWS 10 apps again
I think it is due to missing Language bar or some think like that.

Link to post
Share on other sites

Made a small registry edit to re-enable it after restart also. There is probably a better or more proper way but this has solved it for me.

 

Under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 

Edit .. Add--> String Value

Name it ctfmon

Then Right Click and Select Modify and add the below line to string value box.

C:\Windows\System32\ctfmon.exe

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.