need help removing Trojan:Script/Wacatac.B!ml

[lurker316]

A routine Windows Security Scan alerted me that it detected a virus. Specially, it detected: Trojan:Script/Wacatac.B!ml. The scan results also said: "Remediation Incomplete". It prompted me to take action. I tried selecting both "Remove" and "Quarantine", but nothing happens. I don't get an error message or anything. Windows Security ran a second scan later the had the same results. Here are additional details:

Between the two Windows Security Scans, I downloaded Malwarebytes and ran a scan with it, but it detected no viruses.  I also tried AdwCleaner but that found no threats.

I also downloaded and ran Microsoft Safety Scanner. That gave me conflicting information. While the scan was in-progress, it noted that a number of files were infected. But once the scan was complete, it contradicted itself, saying no viruses were detected.

Here's a snapshot from the in-progress scan indicating 5 files were infected:

And here's a snapshot from the completed scan, saying no viruses were detected:

 

Bottom line, Windows Security insists I have this virus, but can't remove it.  No other virus scanners (Malwarebytes, AdwCleaner and Microsoft Security Scanneer detect it.

Edited December 3, 2021 by AdvancedSetup
Corrected font issue

[Maurice Naggar]

Hello @lurker316

My name os Maurice.

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

• Please attach  mbst-grab-results.zip    to your reply , like displayed here.
• To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

 

The set of data from the report will provide much needed information.

Please always attach reports as we go along.

Cheers.

Edited December 3, 2021 by AdvancedSetup
Corrected font issue

[Maurice Naggar]

NOTE regarding the MS Safety scanner:

By the way, about what you "saw" on intermediate displays of the Microsoft Safety Scanner,  I would like you to review the remarks by AndyDavid about all that on this Microsoft community venue https://docs.microsoft.com/en-us/answers/questions/326108/mar-1721-msert-detects-items-during-scan-but-at-en.html

Also, the post by EricYin of Microsoft  ( just below that section)

 if nothing reported in %SYSTEMROOT%\debug\msert.log, that means no infections.

Do not count on anything on the intermediate display.  Only the bottom / end result when the Safety Scanner is all done.

>

I will be guiding you to do several scans.  It seems all there is here is  sort of oddity related to obscure IE INetcache sub-folder  that is in "VolumeShadowCopy9".

Edited December 3, 2021 by Maurice Naggar

[Maurice Naggar]

Just so you know.  I look forward to getting the ZIP file report from the support-tool.  Then, after that, I will review it.  and then guide you forward.

>

If the Microsoft Defender Antivirus is only flagging one file - the QINNLJOV.htm -  it is not "active" nor a real threat, since it is only a copy kept in a old "shadow copy" of the IE cache kept by Windows.

[lurker316]

Maurice,

Thank you for taking the time to assist me and provide these helpful and easy to understand instructions.  I greatly appreciate it.  The logs you requested are attached. 

To give you a little more background, I also requested support on the MS Forum.  They suggested I go back Windows Security to run a full scan and an offline scan.  I did that and got conflicting results.  Now Windows Security is telling me my last scan was at 1:55 pm and there are no current threats.  However, when I click on "Protection history" it says threats were found at 3:30 pm and those threats were not remediated.  The "quarantine failed".  Both threats appear to be the same trojan script, but now it's two files in the same location.  Here are screenshots:

 

 

I reinstalled Malwarebytes, ran a scan, then ran the Support Tool to generate the logs that are attached.

 

 

mbst-grab-results.zip

[Maurice Naggar]

Hi @lurker316    Glad to see the most recent Microsoft Defender scan reported no threat.   and thanks for the zip file report.  I will have a new reply after review

[Maurice Naggar]

Questions:  Is this a DELL machine ?  and by any chance, had you attempted to run the Dell Support Assist Remediation tool  & then is that when the first "flagging" from Microsoft Defender showed up ?

If both true, there is something about that app that Microsoft Defender does not like.

[lurker316]

This is a Dell machine, but I have no run the Dell Support Assistant Remediation Tool.  (Truthfully, I didn't know such a thing existed.)  This trojan was flagged during a routine scheduled scan by Windows Security (formerly called Windows Defender).

[Maurice Naggar]

Hi, Lurker316.

Fisrt, housekeeping for Security.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

[  2  ]

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

[  3  ]

We will use FRSTENGLISH.exe  on  Downloads    folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  lurker316  only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also run the Windows  DISM to check the system integruty. 

NOTE-2:  It will attempt to run in batch run the Microsoft Security windefend for a Quick scan  & if anything found, to remove.

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Fixlist.txt

Start the Windows Explorer and then, to the Downloads  folder

RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it run and finish.   I will look forward to getting the log.

Edited December 3, 2021 by Maurice Naggar

[lurker316]

@Maurice Naggar

You say the script will run a "Windows 10 DISM".  I'm running Windows 11, not 10.  Does that make a difference?

 

[Maurice Naggar]

Sorry for typo from copy.  The DISM tool works the same.  Please go forward.

Edited December 3, 2021 by Maurice Naggar

[lurker316]

@Maurice Naggar

Thanks.  I ran it.  The log is attached.

After my computer rebooted, the folders I had pinned under "Quick Access" in File Explorer changed.  The folders I pinned are no longer there.  It looks like Quick Access was restored to its default.  It's not a big deal and I can change it back, but I'm wondering if that's normal?  Might the script have altered other customizations I've made to Windows that I should check?

 

 

Fixlog.txt

[Maurice Naggar]

The script does not do anything related to Quick access in File Explorer.

Thanks for the log report. The run is generally good. The Windows System File Checker & the DISM tools found no integriy issues.

It could not run a quick scan by Windows Security ( a.k.a Microsoft Defender) in batch mode.  So I would suggest a mnual Check for Update & a new Quick scan.

From the Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.
Do a QUICK scan.
Let me know the end result of what the Microsoft Defender reports.

[lurker316]

@Maurice Naggar

Thanks again for all of your time and attention.  I greatly appreciate it.

I ran a Quick Scan, Full Scan and Offline Scan.  None of them turned up a current threat.  Is it possible the virus was successfully quarantined by Windows Security, despite the warnings of "remediation incomplete" and "quarantine failed"? 

This is a pretty serious virus, so I'm not sure I want to take any chances.  The person assisting me on the MS forum is suggesting I do a system recovery to be safe, but for some reason I have no Windows' restore points.

On a side note, I understand that the script your provide wasn't designed to -- and theoretically should not have -- affected my Quick Access in File Explorer, but it absolutely did.  Prior to running the scrip I had numerous folders pinned there.  After running the script they were all unpinned.  Again, not a complaint or big deal -- just want you to be aware that the script could have minor unanticipated effects.  As your above explanation points out, the script empties a number of directories -- one of those directories presumably contained my Quick Access preferences.  Perhaps Windows 11 changed (relative to Windows 10) where Quick Access preferences are stored, and that new storage location coincides with a directory emptied by the script?

[Maurice Naggar]

You indicate that this last scan reported zero malware. 

Quote

I ran a Quick Scan, Full Scan and Offline Scan.  None of them turned up a current threat.

The Microsoft classification is not one of a virus.  They flagged a script of some sort that was (way deep) in a Old snapshot in one of the storage areas for Volume Shadow Copies. Those are selected snapshots of selected user files that Windows makes.  It was a HTML file.  Which as I point out was not active.

So, no, I do not consider this as a "serious" type event.   No, I would not advise a system restore due to a one-off HTML file.

If you would prefer or are inclined, you can elect to do a new different scan for malware.

Download Sophos Free Virus Removal Tool   and save it to your desktop.

• If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
• Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

• Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your reply

• Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result....

• The Virus Removal Tool scans the following areas of your computer:
• Memory, including system memory on 32-bit (x86) versions of Windows
• The Windows registry
• All local hard drives, fixed and removable
• Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Let me know what Sophos reports.   

[Maurice Naggar]

By the way, the prior ( previous ) (old messages from Defender) 

"remediation incomplete" and "quarantine failed"

are past history.  They no longer apply.

[lurker316]

@Maurice Naggar

Thank you for the reassurance that this threat isn't as serious as I believed.  That makes me feel better.  Nerveless, I will try the Sophos application for even more confidence and report back the results.

 

[lurker316]

@Maurice Naggar

I ran the scan.  The log is attached.

You asked me to confirm that it scanned certain areas of my computer.  I'm not sure how to do that?  Can you get that information from reviewing the attached log?

It found no threats.  It simply recommended deleting about a dozen cookies.   

However, after I clicked through a series of "next" prompts, the final screen said: "Malicious software was partially removed from your computer."  (See screenshot below.)  That confused me.  If it found no threats, what "malicious software" did it remove?  Is this a reference to the cookies it deleted?  I don't think of cookies as software.  

 

[lurker316]

Sorry, I forgot to attach the log.  Here it is.

SophosScanAndClean_20211204_1043.log

[lurker316]

Sorry for bombarding you with questions, but I have one more follow-up...

The scan noted that two of my drivers are suspicious because: "Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software."  However, it didn't take any action against those drivers.  By default, Sophos ignored them.  Is that anything I should be concerned about?

[Maurice Naggar]

Thank you for the log.  First, be sure you have done one Windows RESTART.  I believe it needed one RESTART so that it could finish removing what it tagged for removal.

Now, as far as suspicious things, the log only mentione 1 file  IntelAudioService.exe   which we ( later on) can have checked thru Virustotal.   ( thats for later.  Please do not have undue fretting.)

That is all that I see on this log.  Again, lets don't have undue worries.   So here are the next steps.

[   1   ]

Do a Windows RESTART.

[  2   ]

We are done with Sophos VRT tool.  Now to uninstall it.

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-windoww.
2. Type 

appwiz.cpl 

and tap Enter.
The Programs and Features window will appear.   Locate on the list "Sophos Virus Removal".

Do a right-click on it.  Then choose Uninstall.   Let it proceed.

Exit Programs and Features, when done.

[   NEXT   ]

I would suggest that you do this next scan. This is a known respected tool. It will scan for viruses as well as for potentially unwanted applications.   ( P U A  or  P U P ).

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

• Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

• When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Please make sure you attach the log report.     

[lurker316]

@Maurice Naggar

Sorry for my late reply.  I was away from my computer most of the day.

I wasn't able to locate Sophos in the list of installed programs, so I wasn't able to right-click and select "uninstall".  I search for the app a few other ways and couldn't find it.  I guess it ran from the executable file without permanently installing???  Oh well, I'm not concerned about it.

I ran the ESET online scanner.  It didn't find anything.  The log is attached.

I realize that whatever Windows Security initially detected is most likely gone (or wasn't a true threat to being with), but I appreciate your helping me run other virus detection programs to be sure.  It helps give me peace of mind.  Thank you so much.

 

eset online scanner log.txt

[Maurice Naggar]

Thank you for the ESET log. It reports zero virus / zero malware / zero P U P / P U A.   That is re-assuring.

I have a new custom script. Its goal is to clear out old detection history of Microsoft Defender.  (2) attempt to do one new quick scan with Microsoft Defender.

First, please Delete the file named Fixlist.txt  that is currently on the Downloads folder of your system.

We will use FRSTENGLISH.exe  on  Downloads    folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  lurker316  only / for this machine only.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Fixlist.txt

Start the Windows Explorer and then, to the Downloads  folder

RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
                                IF Windows prompts you about running this, select YES to allow it to proceed.

                                                      IF you get a block message from Windows about this tool......
                                                                        click line More info information on that screen
                                                                        and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it run and finish.   

[lurker316]

I deleted the old version of Fixlist.txt and downloaded the new one.

Where do I find FRSTENGLISH.exe?  There's no file with that name in my download folder.  I must have deleted the version I had previously.  (Looking back through this thread, I'm not sure how I got that earlier copy.  I don't see where you instructed me to download it.)

[lurker316]

Ok, I found the old copy of FRSTENGLISH.exe in my recycle bin.  I restored it and ran it.  The resulting log is attached. 

I then ran a quick scan with Windows Security.  It found no threats.

Fixlog.txt