Jump to content

Win32/Wacatac.B!ml


Recommended Posts

Hi,

My machine is Windows 10 Pro.

I am running realtime Malwarebytes Premium & Windows Defender

I run on demand scans using Emsisoft Emergency Kit and HitmanPro

My morning ritual is to scan first with HitmanPro,
then with MalwareBytes and then a Defender Quick Scan
(I manually update MalwareBytes and Defender).

Once a month I run Emsisoft (with MalwareBytes NOT running).
Also, once a month I run a FULL Defender scan.

Yesterday while the Emsisoft scan was progressing (it takes 2 ish hours) I got a notification from Windows Defender
that a Threat was Blocked and the file was removed.

I let Emsisoft finish, it detected nothing.

I examined the Defender log and it had detected a Threat which was Blocked, it had removed a Win32/Wacatac.B!ml file.

It advised me to do a FULL SCAN which I did, nothing further was found.

I have now run a Custom Scan of the whole of the C:\ drive with MalwareBytes.
(Updated MalwareBytes Manually, Scan (Without Rootkits), Scan for Memory Objects, Scan registry, Startup items,
Scan within Archives, Entire C:\, PUP Treat as Malware, PUM Treat as Malware, Files scanned 508505,
1 hour 35 mins 28 secs, No Detections)

I have read up a bit on this Trojan but many of the posts on the internet for it are not from very trustworthy sources.

I am wondering if the machine is damaged? There seems to be no further files that are infected, Emsisoft, Defender
& MalwareBytes concur.

Would any backdoor or registry modifications for password stealing be detected by the 4 antiviruses I am using?

Should I consider doing a System Restore?

Should I wipe the machine and re-install from scratch?

 

Advice would be appreciated

Link to post
Share on other sites

Hello @Helter_Skelter and :welcome:


I'm Android8888 and I will be glad to help you with your computer issues. Please feel free to ask questions if anything is unclear to you.

Okay, let's see what we can find out.

 

Please download the Farbar Recovery Scan Tool and save it to your computer's Desktop.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit.

  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Press the Scan button.

_frst_scan.jpg

  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.

Please attach both logs to your reply for my review.

Link to post
Share on other sites

Hello Helter_Skelter,

Looking over your logs I see no signs of malware installed on this computer. It seems the threat Windows Defender found was located in a temporary folder and was removed.

However I would like you to run the following fix to cleanup some orphaned entries in your system.

 

Warning for other users: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to the operating system.

Now follow the instructions below to execute a script fix on your system using FRST, and provide the log in your next reply.

  • Download the fixlist.txt file attached at the bottom, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
  • Right-click on the FRST executable and select Run as Administrator;
  • Click on the Fix button;
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Please attach the Fixlog.txt in your next reply;

 

Next,

Please download the latest version of AdwCleaner and save the file to your computer Desktop.

  • Right-click on AdwCleaner.exe and select Run as Administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Agree to accept the EULA (End User License Agreement).
  • Click the Scan Now blue button and wait until the scan is complete.
  • Once the scan completes, a Scan Results window will open.
  • Make sure that every item listed is checked and then click the Quarantine button.
  • Click Next.
  • If any pre-installed software was found on your machine, a prompt window will open.
  • Click OK to close it.
  • Now check any pre-installed software items you want to remove (if they're not causing you a problem I recommend you don't select any).
  • Click Quarantine.
  • A prompt to save your work will appear.
  • Click Continue when you're ready to proceed.
  • A prompt to restart your computer will appear.
  • Click Restart Now.
  • Once your computer has restarted a Notepad file will open after logging in.
  • If it doesn't open automatically, please start AdwCleaner.
  • Click the Log Files tab on the left pane.
  • Double click on the latest Clean log (Clean logs are like AdwCleaner[Cxx].txt, where xx is replaced by a number, the latest scan will have the largest number)
  • Please attach that file to your next reply.

 

Now to ensure all is clean, please run the following scan with Microsoft Safety Scanner.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that  can be used to scan for and remove malware or potentially unwanted software from a system.
The download links and the how-to-run-the tool are at the following link at Microsoft:
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
 
I will need to see the scan results.
The log is named MSERT.log and it will be located in %SYSTEMROOT%\debug\msert.log which in most cases is C:\Windows\debug\msert.log.

Please attach that log to your next reply.

 

To summarize, please attach the following logs in your next reply:
Fixlog.txt
AdwCleaner clean log.
msert log.

Thank you.

Android8888

fixlist.txt

Link to post
Share on other sites

Hi Android8888,

thanks very much for spending time solving my issues on this machine. I attach the 3 log files you requested. 

I was puzzled by the Microsoft Safety Scanner as whilst it was running it said 1 infection, but when it finished it said NO DETECTIONS??

Just to complicate things, MalwareBytes has stopped responding both yesterday and today, which I have observed from the reliability log. I am not sure why?

Your assistance is much appreciated,

 

Helter_Skelter

Fixlog.txt AdwCleaner[S01].txt msert.log

Link to post
Share on other sites

Hi @Helter_Skelter

Thank you for the logs.

1 hour ago, Helter_Skelter said:

I was puzzled by the Microsoft Safety Scanner as whilst it was running it said 1 infection, but when it finished it said NO DETECTIONS??

That detection may have to do with I already stated in my previous post:

16 hours ago, Android8888 said:

Looking over your logs I see no signs of malware installed on this computer. It seems the threat Windows Defender found was located in a temporary folder and was removed.

 

1 hour ago, Helter_Skelter said:

Just to complicate things, MalwareBytes has stopped responding both yesterday and today, which I have observed from the reliability log. I am not sure why?

Which log is this? Please attach that log for my review.

 

From your Addition.txt log:

Name: Trojan:Win32/Wacatac.B!ml
Path: file:_C:\Users\Pete\AppData\Local\Temp\tmp0000007b\tmp000ef2e5
Process Name: C:\Program Files\Emsisoft Emergency Kit\bin64\a2emergencykit.exe

It appears the EEK program creates a temporary folder which is being detected as a false positive.

 

I would like to see fresh FRST logs.

Re-run a new scan with FRST and attach the two new logs (FRST.txt and Addition.txt) in your next reply for my review.

Android8888

Link to post
Share on other sites

Hi Android8888,

 

I have run the FRST program and it Auto-updated. I attach the new FRST.txt & Addition.txt.

Mbamtray.exe has Faulted twice in the last 2 days viewable in Addition.txt

Sorry, the actual name of the calendar of problems is called the Reliability Monitor.
I have tried to save the reliability history in the file format it chooses (XML), but this was blocked by the forum.
I also clicked on the mbamtray.exe entries and  copied both into Problem Details From Reliability Monitor 28-29-10-2021.txt.
The Reliability Monitor says it has sent the details to Microsoft.

Could I enter the a2emergencykit.exe into the Microsoft Defender exclusion list.
Would this prevent a detection if it tried to create a temporary file again or is it the temporary file itself being detected as a False Positive?

 

Thank you for spending so much time helping me, it is much appreciated,

 

Helter_Skelter

FRST.txt Addition.txt Problem Details From Reliability Monitor 28-29-10-2021.txt

Link to post
Share on other sites

Hi Android8888,

 

I made a mistake in what I wrote above. I cannot find a way to edit my post so I will type the corrected version.

Could I enter the a2emergencykit.exe into the Microsoft Defender exclusion list?
Would this prevent a detection if it tried to create a temporary folder again, or is it the temporary folder itself being detected as a False Positive?
Is there another way to exclude and prevent a False Positive?

Apologies,

 

Helter_Skelter

 

 

Link to post
Share on other sites

Hello,

Looking over your latest Farbar logs, I see no signs of infection. Your system is clean.

Could I enter the a2emergencykit.exe into the Microsoft Defender exclusion list?


Yes, you can do that, please read this article:
https://www.windowscentral.com/how-exclude-files-and-folders-windows-defender-antivirus-scans

Would this prevent a detection if it tried to create a temporary folder again, or is it the temporary folder itself being detected as a False Positive?


Is there another way to exclude and prevent a False Positive?


One explanation for the false positive is that Microsoft Windows Defender may not have enough information about the file to determine that it is safe. Yes, the temporary folder itself is being detected as a false positive.
Yes there is a way to exclude and prevent a false positive in Windows Defender like instructed above.

 

Now please run the attached script fix file using FRST. This fix may take some time consuming, so please be patient.

Warning for other users: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to the operating system.

Follow the instructions below to execute a script fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
  • Right-click on the FRST executable and select Run as Administrator;
  • Click on the Fix button;
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Please attach the Fixlog.txt in your next reply;


Concerning Malwarebytes issue, I would suggest you completely remove and reinstall the program by using its removal tool as instructed below:

Uninstall and reinstall using the Malwarebytes Support Tool
Please close all browsers and programs before running the tool.

After reinstall, open Malwarebytes and run a new scan with it.

Please let me know what issues still remain.

Thank you.

Android8888

fixlist.txt

Link to post
Share on other sites

Hi Android8888,

Thanks very much for the link to the article on Microsoft Defender exclusions, I have added a2emergencykit.exe to this list.

I followed your instructions and used FRST to run your latest fixlist. It didn't bring up a log on completion, it put up a box up saying restart required. Whilst restarting, it appeared to be checking and scanning the HDD. I attach the fixlog.txt.

 

On a general point, do you think running Malwarebytes and Defender as my realtime protection for this machine is effective protection?

 

Thanks for all your time spent sorting out the issues on my machine and giving me a clean machine!. I am very grateful for this,

Helter_Skelter

Fixlog.txt

Link to post
Share on other sites

Hello!

Thanks for all your time spent sorting out the issues on my machine and giving me a clean machine!. I am very grateful for this,


You're very welcome.

On a general point, do you think running Malwarebytes and Defender as my real-time protection for this machine is effective protection?


If you have Malwarebytes Premium yes, it is an excellent combination for effective protection of your computer. It's the one I also use in my computer. It has no intrusive and annoying advertisements on the machine like most third-party anti-viruses, especially the free versions. Another good thing is that they don't conflict one each other so you don't need to add exclusions to each other.

Are there any other issues or concerns with the computer?

Link to post
Share on other sites

Hi Android8888,

Just a question. Does having MalwareBytes Premium running cause any problems when updating programs. I have just manually updated a number of Browsers, and I was wondering if it is better to quit MalwareBytes before updating and launch it again when the updates have finished ?

Regards

Helter_Skelter

Link to post
Share on other sites

Hi @Helter_Skelter

I'm glad to know your computer is running well.

 

20 hours ago, Helter_Skelter said:

Just a question. Does having MalwareBytes Premium running cause any problems when updating programs. I have just manually updated a number of Browsers, and I was wondering if it is better to quit MalwareBytes before updating and launch it again when the updates have finished ?

Malwarebytes Premium does not interfere with updates for the most part of programs unless you are updating suspicious programs that may represent a threat for the system. Generally speaking, there is no need to do that from my point of view.

 

Below I have included several recommendations to help keep your computer safe.
 

Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain check-boxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars and add-ons in your favorite web browser.
 
I advise you to keep Malwarebytes installed and updated and perform a regular scan to your system as it will make it harder for malware to reside on your computer.
A complete guide on using the program can be found here
 
A number of programs have resident protection and it is a good idea to run it to maintain active protection. However, it is important to run only one resident protection program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program with resident protection at a time.
Windows 10 has a good built-in antivirus and firewall which offers an excellent active protection.
 
Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, DO NOT click on it. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure.
 
A similar category of programs is called "scareware". These type of programs are active infections that will pop-up on your computer and tell you that you are infected when you are not. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection up-to-date and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the Internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible.
 
Another most feared threat at the moment is an infection by a Ransomware. This type of infection encrypts all data on drives and asks for a ransom to provide the decryption key that will never be provided. This action is typically to pay a ransom in the form of Bitcoins or another payment method. I advise you to read more info on this terrible threat here and here.
 
Program vulnerabilities are often exploited in order to install malware. To keep the operating system up-to-date, make sure that Windows Update is enabled on your computer.
Keeping all software up-to-date is important as well. Programs such as UCheck, Heimdal Free, or PatchMyPC can help keep software on your computer up-to-date.
 
Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety
 
Stay away from P2P software; even with a 'clean' P2P program, their networks are often riddled with malware.
 
Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.
 
Don't click on links received in instant message programs.
 
A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available here
 

In addition, I also recommend you reading all the interesting information in the 'Learn' menu (in the blue line) at the top of the main page of the forum and also in the following articles for more complete information about cybersecurity:


How Malware Spreads - How your system gets infected?
Answers to common security questions - Best Practices - by quietman7
Simple and easy ways to keep your computer safe and secure on the Internet - by Lawrence Abrams
How to Keep Your Windows PC and Apps Up to Date
What’s the Best Way to Back Up My Computer?
Pirated Software is All Fun and Games Until Your Data is Stolen
Do You Need Anti-Ransomware Software for Your PC?
How Safe Are Password Managers?
Why Windows Slows Down Over Time

 
I hope these steps will help to keep you error and malware free. If you run into more difficulty, we at Malwarebytes will certainly do what we can to help.
 

Happy surfing and stay safe.
 
Best regards,
 
Android8888

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.