Canvas Posted May 16 ID:1567663 Share Posted May 16 Windows defender has detected Wacatac.H!ml, despite me not having downloaded anything recently besides steam games. I'm not sure how this is possible and how I could have prevented this. Logs attached below are from after windows defender has quarantined it. FRST.txt Addition.txt scan_results.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 16 ID:1567690 Share Posted May 16 (edited) Hi. Do you notice that the flagged sub-folders are the CACHE area of Firefox browser? I would suggest that you delete the Cache on Firefox, along with the browsing historyhttps://support.mozilla.org/en-US/kb/how-clear-firefox-cache That is first thing to do. ( 2 ) The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand. This link is for the 64-bit version of MSERT.exe . Be sure you save the file firsthttps://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan. That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well Launch MSERT.exe Accept the agreement terms of Microsoft Select CUSTOM scan Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned. Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection. That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not. NOTES: There are a large number of scheduled tasks on this machine that have "no path". In other words, null leftovers. We will want to do a custom run later. 2. Know that malwarebytes has its own scan engine and scan rules, different from Microsoft Defender antivirus. 3. What MS Defender flagged are on 1 user profile's cache sub-folder of Firefox...some zip-type file that has some script that Defender flags as a threat. Edited May 16 by Maurice Naggar Link to post Share on other sites More sharing options...
Canvas Posted May 17 Author ID:1567791 Share Posted May 17 Thanks Maurice, I cleared the cache but forgot to clear the history until after the scan was run. Should I re-do it? nothing was detected as per the logs. msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 17 ID:1567800 Share Posted May 17 MS Safety Scanner found no threats. Bravo. So I would expect a scan with the Microsoft Defender antivirus to also find no threats. [ Do a custom scan with Microsoft Defender Antivirus ] Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan. From the Windows Start menu, select Settings, then select Update and Security. Next, look at the left-side menu & select Windows Security Next, In Windows Security section: Click on the grey button Open Windows Security Now, click on the shield Virus and threat protection Look to see that Microsoft Defender is shown & available for use. On the next display, look at all the options. Look down the list and see "Check for Updates" . You should click on that to have the system check for updates for Windows Defender. Watch & wait for that to complete. Please also note that the Scan options (all) can be displayed by clicking on Scan options. Click that & select CUSTOM scan & then pick the C drive & have it go forward. Once it has started the scan phase, you can go take a long break. Let me know the results. Link to post Share on other sites More sharing options...
Canvas Posted May 17 Author ID:1567821 Share Posted May 17 All done. Windows defender is working fine and active. no threats found for the C: drive scan. I'm still cot completely convinced this is a real detection as no unusual behavior was observed. If i had access to the files I would upload them to virus total but they're quarantined. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 17 Root Admin ID:1567824 Share Posted May 17 @Canvas While you wait for @Maurice Naggar (has probably gone to bed by now) , Please run the following and he will get back with you with more advice tomorrow. SecurityCheck by glax24 I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications. Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe If Microsoft SmartScreen blocks the download, click through to save the file This tool is safe. Smartscreen is overly sensitive. If SmartScreen blocks the file from running click on More info and Run anyway Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Thank you Link to post Share on other sites More sharing options...
Canvas Posted May 17 Author ID:1567828 Share Posted May 17 Thanks AdvancedSetup SecurityCheck.txt Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted May 17 Solution ID:1567891 Share Posted May 17 Thanks for the SecurityCheck report. It shows 2 applications that are in need of updating to latest release. GitHub Desktop v.3.2.0 Warning! Download Update Discord v.1.0.9008 Warning! Download Update ( 2 ) There are quite a few scheduled tasks that have no file path. Those will be cleaned up by the following procedure. Please run the following custom script. Read all of this before you start. Please Close all open work. FRST64.exe is already on this machine on C:\Users\redyo\OneDrive\Desktop Please download the attached fixlist.txt file and save it to C:\Users\redyo\OneDrive\Desktop Fixlist.txt <-- - - - - NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Use File Explorer to go to the Downloads folder RIGHT-Click on FRST64 and select RUN as Administrator and reply YES to allow it to go forward to start. That is important so that this run has Elevated Administrator rights !! NEXT press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will provide a fresh report on MS Defender antivirus. Depending on the speed of your computer this fix may take 50-55 minutes or more. The system will be rebooted after the script has finished. Attach FIXLOG.txt with next reply. ( 3 ) I suggest you do one new scan with Malwarebytes. After it completes, get and attach a copy of that run-report. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 😉 Link to post Share on other sites More sharing options...
Canvas Posted May 18 Author ID:1567988 Share Posted May 18 Thanks Maurice. Nothing was detected. I did a full scan. Scan 18.05.23.txtFixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 18 ID:1568021 Share Posted May 18 The custom run is beneficial. Windows Resource Protection found corrupt files and successfully repaired them. The no file path scheduled tasks were removed. Keep in mind that Malwarebytes & Microsoft Defender each have their own distinct detection engines and rules. What Microsoft Defener had detected & removed where contained in compressed files. It detected 2 scripts as threats. C:\Users\redyo\AppData\Local\Mozilla\Firefox\Profiles\fnq42o0m.default-release\cache2\entries\66289828DE443E46133ADC9834D20B5FF1218335->(GZip)->(SCRIPT0012) C:\Users\redyo\AppData\Local\Mozilla\Firefox\Profiles\fnq42o0m.default-release\cache2\entries\66289828DE443E46133ADC9834D20B5FF1218335->(GZip)->(SCRIPT0019)} I belive that Defender's quarantine area is at C:\ProgramData\Microsoft\Windows Defender\Quarantine Keep in mind that folder is a system protected folder. You may possibly see quarantined files in the sub-folder C:\ProgramData\Microsoft\Windows Defender\Quarantine\entries Possibly within C:\ProgramData\Microsoft\Windows Defender\LocalCopy Where to submit a file for analysis: To Microsoft https://www.microsoft.com/en-us/wdsi/filesubmission To Virustotal https://www.virustotal.com/gui/home/upload At this point, this machine does not have a malware. 1 Link to post Share on other sites More sharing options...
Canvas Posted May 19 Author ID:1568126 Share Posted May 19 In case anyone googles a similar signature: Virus total found nothing when I uploaded the entry. I also submitted to Microsoft. Thanks Maurice for your help. It looks like a false positive. I'll end this thread. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 19 ID:1568182 Share Posted May 19 Hi @Canvas Do me a favor. If you located the 2 zip-compressed copies in that Quarantine, could you zip them and attach in reply. Thanks. Let me know if you need some other help. To remove the FRST64 tool & its work files, do this. Go to your Desktop folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe. Then run that ( double click on it) to begin the cleanup process. Delete msert.exe Delete Securitycheck.exe Any other download file I had you download, you may delete. Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. As to web browsers, your Firefox has Malwarebytes Browser Guard. You should add Malwarebytes Browser Guard onto the Edge browser. For the EDGE browser https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser Link to post Share on other sites More sharing options...
Canvas Posted May 20 Author ID:1568241 Share Posted May 20 Hey Maurice, I'm sorry, i deleted the file yesterday after i made a submission to Microsoft. The file wasn't zipped. I'll retain the files next time for analysis. Thanks for your recommendation, I already use browser guard. Thanks again for your help! Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 20 ID:1568325 Share Posted May 20 We can proceed with cleanup of tools we used. To remove the FRST64 tool & its work files, do this. Go to your Desktop folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe . Then run that ( double click on it) to begin the cleanup process. Delete msert.exe Delete Securitycheck.exe Any other download file I had you download, you may delete. Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. I am marking this case for closure. I wish you all the best. Stay safe. Sincerely. Maurice Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 20 ID:1568326 Share Posted May 20 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts