Jump to content

Win32/Wacatac.G!ml


amdm88

Recommended Posts

hi,
Can someone please help me with the below? Thanks

It looks like I have a trojan/Viru on board my Laptop according to Windows Defender.

(I have Windows 10.)
(I also have Malawarebytes Premium already.)

My Windows Defender repeatedly keeps showing this virus = Win32/Wacatac.H!ml  as on my Laptop.
The messages/alerts from Windows Defender is constant and does not stop.

It will not let me delete it or quarantine it. very time I click delete it or remove it & start action,
nothing happens and messages/alerts keep coming.

I just tried to connect a USB drive to my Laptop but it now does not recognise an external USB drive?

Please can someone help me quickly to try and remove this Win32/Wacatac.H!ml from my Laptop ?

I can also see another name of this Trojan = Backdoor:Win32/Bladabindi!ml

Can you please guide me?

 

And why is it Malawarebytes did not pick this up at all?

I cannot understand why Malarwarebutes was unable to detect it?

 

Please advise URGENTLY?

 

Thank You

Andy

Link to post
Share on other sites

  • Root Admin

Hello  @amdm88

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

Please run the following and post back the log once the scan has been completed.

 

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

 

Link to post
Share on other sites

Thank You for your reply.
I need to find the necessary free time in order for the detailed work & scan required
as per your mention "It may take several hours."
As soon as I can, I will carry out the above instructions very soon & respond.

Thanks
Andy

Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites

hi
Could I please ask a question as am worried about it?

My question is - I have not re-booted my Laptop for the last 4 weeks 
as daily I put it to sleep (and not shut down).

So, IF now, with this Wacatac infection on my Laptop, IF I re-boot, can the re-boot trigger
further smaller applications by this to appear and cause havoc?

Basically = is it safe to re-Boot with this Winatac infection ?

I usually re-boot every 3 to 4 weeks in order to do maintenance, clean out Temp Files, delete history, 
cookies etc etc etc, but now am not sure if I can or should re-boot?

Thanks again
Andy

Link to post
Share on other sites

  • Root Admin

It's unlikely, but possible. The detection is generic in nature. Leaving Windows running that long can itself pose issues.

I would need to get some logs to see if there is something there more menacing.

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

Thanks for getting back

ok - I will do this asap starting with what you have just given.
It may be until tomorrow morning London time that I will get back to you with some results
on your request.
My Laptop has 64GB RAM,
2 X 250GB SSD drives,
Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz   4.00 GHz

so, I think, the Laptop will be ok or fast enough to do all the work required.?

Andy

Link to post
Share on other sites

  • Root Admin

Please uninstall the following

Bonjour
 

 

You should run a disk check on your E: drive.

Error: (09/06/2022 09:17:58 PM) (Source: Ntfs) (EventID: 55) (User: NT AUTHORITY)
Description: A corruption was discovered in the file system structure on volume E:.

 

 

Windows Defender believes this to be a Trojan and what is triggering the detection alert.

D:\Sync\Sync.Cache\restored\b7d048525adf08d837cf6c38be9b5686a05c0d6e.1662507571401315.tmp

 

Windows Defender:
================
Date: 2022-09-07 00:39:31
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wacatac.H!ml&threatid=2147814523&enterprise=0
Name: Trojan:Win32/Wacatac.H!ml
Severity: Severe
Category: Trojan
Path: file:_D:\Sync\Sync.Cache\restored\b7d048525adf08d837cf6c38be9b5686a05c0d6e.1662507571401315.tmp
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Users\AM\AppData\Local\Programs\Sync\sync-worker.exe
Security intelligence Version: AV: 1.373.1653.0, AS: 1.373.1653.0, NIS: 1.373.1653.0
Engine Version: AM: 1.1.19500.2, NIS: 1.1.19500.2

 

And here are other detections. You need to review this SYNC process and see what it's doing and if it is safe perhaps submit it to Microsoft as a False Positive

 

Date: 2022-09-07 00:30:40
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wacatac.H!ml&threatid=2147814523&enterprise=0
Name: Trojan:Win32/Wacatac.H!ml
Severity: Severe
Category: Trojan
Path: file:_D:\Sync\Sync.Cache\restored\b7d048525adf08d837cf6c38be9b5686a05c0d6e.1662507040786367.tmp
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Users\AM\AppData\Local\Programs\Sync\sync-worker.exe
Security intelligence Version: AV: 1.373.1653.0, AS: 1.373.1653.0, NIS: 1.373.1653.0
Engine Version: AM: 1.1.19500.2, NIS: 1.1.19500.2

Date: 2022-09-07 00:30:19
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wacatac.H!ml&threatid=2147814523&enterprise=0
Name: Trojan:Win32/Wacatac.H!ml
Severity: Severe
Category: Trojan
Path: file:_D:\Sync\Sync.Cache\restored\b7d048525adf08d837cf6c38be9b5686a05c0d6e.1662507019260208.tmp
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Users\AM\AppData\Local\Programs\Sync\sync-worker.exe
Security intelligence Version: AV: 1.373.1653.0, AS: 1.373.1653.0, NIS: 1.373.1653.0
Engine Version: AM: 1.1.19500.2, NIS: 1.1.19500.2

Date: 2022-09-07 00:12:19
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wacatac.H!ml&threatid=2147814523&enterprise=0
Name: Trojan:Win32/Wacatac.H!ml
Severity: Severe
Category: Trojan
Path: file:_D:\Sync\Sync.Cache\restored\b7d048525adf08d837cf6c38be9b5686a05c0d6e.1662505938692097.tmp
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Users\AM\AppData\Local\Programs\Sync\sync-worker.exe
Security intelligence Version: AV: 1.373.1653.0, AS: 1.373.1653.0, NIS: 1.373.1653.0
Engine Version: AM: 1.1.19500.2, NIS: 1.1.19500.2

Date: 2022-09-06 23:24:35
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wacatac.H!ml&threatid=2147814523&enterprise=0
Name: Trojan:Win32/Wacatac.H!ml
Severity: Severe
Category: Trojan
Path: file:_D:\Sync\Sync.Cache\restored\b7d048525adf08d837cf6c38be9b5686a05c0d6e.1662503074913816.tmp
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Users\AM\AppData\Local\Programs\Sync\sync-worker.exe
Security intelligence Version: AV: 1.373.1653.0, AS: 1.373.1653.0, NIS: 1.373.1653.0
Engine Version: AM: 1.1.19500.2, NIS: 1.1.19500.2

 

 

Link to post
Share on other sites

Bonjour 
1- Don't have an 'E' Drive - this was when I inserted the USB External drive in earlier this evening to save some data. So, this may have caused this error to flash up.

2- SYNC is a Cloud based Server - I use SYNC company's server which is named Sync.
      However, I have looked here under Sync on my PC & I cannot find D:\Sync\Sync.Cache\restored\ ? anywhere  (The Sync.Cache\restored\ ) .
I use Sync everyday as I share files with a partner of mine.

3- The SYNC Process is safe - it is highly likely Windows Defender is the 'culprit' in naming this - this MS Windows Culprit is a very poor design - I have many Applications I run constantly & now for several years and the fact is = nearly all of the many applications have never been questioned or stopped by Wind. Defender, then suddenly it gets up & decides 1 App. or another is a 'Trojan'.
Fact is = the Apps are very similar to each other = so if it is fine with most why suddenly it gets its knickers in a twist with just 1 app?
Sync is a server I use daily & constantly & have been for many years now and it is 100% safe, so nothing wrong with it.
Yes I will report this to MS as a False alert, If I can find who to report this to?
I have checked the others listed and all point a path to Sync = what I will do is write to Sync Support and ask them explain and help if they can?
* I have already written to Sync asking them to explain =  sync-worker.exe as the process Name? what is this ? and what are its functions?
* So, will await their reply
*** Also I would like to state - this path = D:\Sync\Sync.Cache\restored\ = is nowhere to be located or found? and as I cannot see it, I can't go any further with this & I not only looked at my PC but also looked at Sync's web panel - there is no such path or name?
No = 'restored' folder either, however I do restore files from time to time from the backup when I need them.

But in the meantime what else can I do?
I looked on the Microsoft link you sent = not much info in there.

Is there anything else you need me to do?
Scan or provide you with more info?

Thanks
Andy

 

Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites

  • Root Admin

Regardless of what drive gets assigned, that USB drive appears to have corruption. I would suggest you connect it and run a disk check on it.

Example from an elevated admin command prompt, assuming the E: volume is assigned to it.

CHKDSK E: /F 

 

Make sure you enable your system to show Hidden Files and Folders

https://support.microsoft.com/en-us/windows/view-hidden-files-and-folders-in-windows-97fbc472-c603-9d90-91d0-1166d1d9f4b5#WindowsVersion=Windows_10

The Sync process could be creating the folder on the fly and why you don't see it. See what Sync Support has to say.

 

At this point in time there isn't anything else to do except wait for Sync to reply.

 

Please see if you can submit to Microsoft from the following link

https://www.microsoft.com/en-us/wdsi/filesubmission/

 

Microsoft Defender SmartScreen Frequently Asked Questions
https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx

Microsoft - Report unsafe site
https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site

How Microsoft identifies malware and potentially unwanted applications
https://docs.microsoft.com/en-us/microsoft-365/security/intelligence/criteria?view=o365-worldwide

 

We need to wait to hear back. Cleaning or removing something that is not a real infection would cause unwanted results to your system @amdm88

 

Link to post
Share on other sites

Yes I agree - let's wait for Sync Support to reply and enlighten me.
Thanks for the MS Link to report the 'FALSE' alerts 
Yes I agree if we deleted any files or removed them , it could cause more
unwanted problems, so won't be doing that.

I will check the USB drive (E Disk) & see

As soon as I hear back from Sync Support, I will come back & update this thread.

Lastly = Thank You for your help once again.

Andy

  • Like 1
Link to post
Share on other sites

hi 
I just got the reply back from Sync so here it is below:->>>
 

"Victor M (Sync.com)

Sep 7, 2022, 3:03 AM EDT

Hello Andy,

Thanks for contacting Sync.
 
sync-worker.exe is an essential part of the Sync application related to the uploads and downloads that are processing.
 
We would advise you to run an antivirus scan, Malwarebytes for example, to ensure that there are no actual viruses at all. 99% of the time this is just a false flag, but it pays to be sure.
 
We also recommend you set exceptions for Sync within Windows defender.
 
Check out our guide to do so here:
https://www.sync.com/help/how-do-i-stop-windows-firewall-and-defender-from-blocking-sync-windows-10/
 
We have a guide for older Windows versions as well:
https://www.sync.com/help/how-do-i-stop-windows-firewall-or-defender-from-blocking-sync-from-syncing/
 
Let me know if this helps.

Thanks again,
Victor"

Link to post
Share on other sites

ok will set up the exclusions 
and will re-boot but

I have a problem.....

I can't do it just yet - will try and find today later on
Have to drop everything as my Dad has been rushed to Hospital and 
needed a Blood Transfusion so will be back but for now, Please bear with me
as I need to be by his side.
Thanks a lot for your understanding - I will be back as soon as I can ok

Best wishes
Andy

Link to post
Share on other sites

  • 2 weeks later...

hey
Thanks for following up.
My Apologies I was not able to come back and am still not yet but hopefully soon
can come back here and carry on.
What happened was after Dad ended up in hospital in a serious condition, Mum got taken in
soon after in Whittington Hospital for a Major Back Operation lasting 6 hrs.
So, I have been very busy helping her and during the hospital stay etc and throughout.
So, Please bear with me & I will get back to you once this is all settled hoping it is soon.
I hope this is ok? 
Thanks
Andy

Link to post
Share on other sites

  • 2 months later...
  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.