Jump to content

Worried about Trojan:Script/Wacatac.B!ml lingering


Go to solution Solved by Maurice Naggar,

Recommended Posts

I had a scan from Windows Defender last night and it found a threat and blocked it. I chose to do the Remove action on the virus, however looking up about the trojan online has me doubtful that it is actually gone from my computer. I did another full scan with Windows Defender and a Threat Scan with Malwarebytes that came clear today but I'm very worried that the dangerous trojan is still on my System. 

I can't check if the threat was removed via Windows Defender Protection History as nothing shows up for the history, though I did take a snapshot of the Threat being found.
The blocked out section is just my email username. Section reads Attachments\username Voucher.

image.thumb.jpeg.1ad209ef1a8d964c3737ef57787a50c4.jpeg

What can I do to guarantee that this virus is gone?

Addition.txt FRST.txt TScanMB19-06-23.txt

Link to post
Share on other sites

Hello :welcome: @APurpleNarwhal

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

What was flagged was in a temporary-type file & was apparently a HTML form from a website. ( we will later run a custom script to empty out all temporary-type files). For the time being, do this special scan.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Link to post
Share on other sites

I've set File Explorer to Show All Folders, downloaded MSERT and ran the custom scan on the C drive with it as the only process.
Attached is the MSERT log.

Not sure if it matters but I run two drives: a C drive SSD which has the windows stuff, and an E drive HDD which has games and other files.

The Show Libraries in the navigation pane was also unchecked before I enabled showing all folders, but I left it as is.

msert.log

Link to post
Share on other sites

Thanks. The MS Safety Scanner found no threats of any sort. This indicates that any old "threats" are no longer present.

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Tue Jun 20 16:51:05 2023

I expect that what you saw on-screen is a old leftover trace of history. For now, let us just do a different scan.

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.
Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

  • Solution
Cleaned files: 2
E:\backup\Documents\HiSuite\backup\HUAWEI P9_2019-12-01 14.30.44\com.nekki.vector.apk	a variant of Android/Inmobi.D potentially unsafe application	cleaned by deleting

E:\gigabyte\Other\Marvell\MSU\Setup.exe	Win32/PrcView potentially unsafe application	cleaned by deleting

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will reset the Winsock file. It will get selected readouts on some Windows services. It will attempt to clear temporary cache files on web browsers. It will attempt to do scans with Microsoft Defender antivirus. Depending on the speed of your computer this fix may take 50-55 minutes or more. You will see a green scrolling bar when the FRST64 custom script is running, on the FRST64 window.

This next job will end all open applications and then do its work. Please read all of this. Close and save any currently open work you may have at this time.

The tool FRST64.exe tool  is already on this machine on your  Desktop folder   ( keep that in mind )

Please download the attached fixlist.txt file and save it to  folder Desktop

Fixlist.txt<-- - - - -

 

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the DESKTOP folder

RIGHT-Click on   FRST64 and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. We will do more, later.

Please have much patience. I am a volunteer. I am not on all the time.

  • Thanks 1
Link to post
Share on other sites

The custom-run is good. The Windows System File Checker has made some corrections.

Windows Resource Protection found corrupt files and successfully repaired them.


This last run has completed what was originally intended. The ".shtml" file cited in screen-grab does not exist. The old history of MS Defender was been cleared. Let us now do a manual quick scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click on "Quick scan".

Once it has started the scan phase, you can go take a break.   Let me know the results.

Link to post
Share on other sites

You just need to adjust Malwarebytes setting. Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>  Then go about running the MS Defender scan,

Link to post
Share on other sites

First, recall that the MS Defender message display from the 18th did show

status removed


While granted the MS Defender is super picky, there is no basis for surmising that the flagging was a false positive.
You are over-thinking it.
2 suggestions here. The first is for housecleaning of temporary files.
( 1 )
Open an elevated Command-prompt window i.e. run Command Prompt as an administrator .

On the Taskbar Search box, type in

cmd.exe


click the line for "run as administrator"


On that Command-prompt,  Copy & Paste this command

cleanmgr.exe

press Enter-key on keyboard   and watch & write down the result


on the tab "Disk Cleanup"
then on the scrollable window marked "Files to Delete"
be sure to UN-tick the box on the line "Downloaded Program files"

DO tick the check boxes on these lines:
Windows Update Cleanup
Windows upgrade log files
Temporary Internet Files
Recycle Bin
Temporary files

Any other lines you can un-tick. The 5 lines selected above should account for a sizable amount of space that can be freed-up.

then click OK to proceed

you will get a "Are you sure" prompt
click on "Delete Files" button

It will show a progress window. When it finished, it will auto-close its window.

( 2 )
If it helps you to allay your concerns, you can consider to change all passwords for all your accounts.
see this post https://forums.malwarebytes.com/topic/284814-are-your-passwords-in-the-green/

Link to post
Share on other sites

I was worried as the trojan file seemed to be an email attachment from an email I received two months ago. I don't recall opening the attachment at all, however it ended up still being on my PC. The real-time protection from my antivirus apps didn't detect anything for over the two months, up until I manually full scanned last Sunday. My previous manual scan was a long while ago, so I fear it may potentially have stuck around on my PC for up to two months. 
To be safe, I'll change my passwords anyways. Probably a good habit to do it every so often, along with the scans.

When I wrote the cleanmgr.exe line and pressed Enter, the result was Disk Cleanup being opened. I didn't observe anything else occuring.
For the Disk Cleanup, I couldn't find a line for the Windows upgrade log files, so I checked off the four that I could see.

If I'm not mistaken, it looks like everything is all good for my PC.
Thanks for helping guide me and repairing my PC, Maurice. I appreciate the assistance immensely.

Link to post
Share on other sites

@APurpleNarwhal You mentioned you did run Cleanmgr for as many options that you saw. Alright. We are nearly near the end.

1. Just do a new scan with Malwarebytes.

( 2 )

Temporarily disable Microsoft SmartScreen to download the next software below 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

Link to post
Share on other sites

Per SecurityCheck these application programs need your attention.
Microsoft Visual Studio Code (User) v.1.77.3  Warning! Download Update

Discord v.1.0.9010  Warning! Download Update

Microsoft Teams v.1.5.00.30767  Warning! Download Update

Zoom v.5.14.8 (16213)  Warning! Download Update

Razer Cortex v.10.7.7.0  Warning! Computer experts no longer recommend this program.

The Malwarebytes scan is very good. We can proceed to wrap-up this case.

Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_2-14.exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • You may attach that file to your next reply. (not compulsory)
  • Delete mb-support-1.8.7.918.exe
  • Delete mbst-grab-results.zip on the Desktop.


Sincerely.

Link to post
Share on other sites

The run is fine. This Windows system is good-to-go. All clear.

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

SAFETY TIPS:

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine.


Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"  

Stay safe.

  • Like 1
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

  • Thanks 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.