Jump to content

Help needed to remove Trojan:Win32/Wacatac.B!ml

H4wK1n6
 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

H4wK1n6

H4wK1n6

Posted
Posted

Hi. 

Nowadays, I have some performance problems in games and other applications on my PC. I knew something was not right, and I started a full scan through the Windows Defender. It found the Trojan:Win32/Wacatac.B!ml Then, I selected to quarantine it. I think it failed:
image.png.25b99b3d4544c82fe7f5e7a3cccd5886.png

 

After some research, it seems this trojan is very difficult to remove and clear from the system. I need help, please help me.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello. :welcome: My name is Maurice. I will guide you.

  • Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

    Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
    1. Show-Hidden-Folders-Files-Extensions
    https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

    2. Disable-Fast-Startup
    https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

3. At this point, be sure you do a Windows Restart.

Next

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Link to post
Share on other sites
H4wK1n6

H4wK1n6

Posted
  • Author
Posted

Thank you for your message. Before your message, I clicked remove action and the windows defender removed the file in my downloads that has the trojan. I checked the file in downloads, and it was disappeared. Then, I started full scan again. I am sorry, I didn't know that I shouldn't start any other scans. Should I continue the process you tell me? I think I have to because I have doubts. 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

The Safety Scanner scan result is all good. 

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Wed Jan 31 21:52:12 2024

We can do other checks.

Malwarebytes can detect and remove most malware with no further actions required for free.

Please download, install, update Malwarebytes
from this link

and do a Threat Scan with Malwarebytes see guide link
and post back the log as shown below.
Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See see how-to link

Next

I would like a report set for review. This is a report only. This is the first beginning step so I can see what is what on this particular machine.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

 

Edited by Maurice Naggar
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Please do the following actions, so that Microsoft Defender antivirus runs side-by-side along with Malwarebytes.
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }
IF that line-selection is greyed-out  unavailable, do not fret. Just skip over that.

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

Next, Please do a Windows Restart.

Next

Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

NOTE-1:  This custom fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. This removes a GoogleUpdater pest infection that is on this machine.  It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers.  It will attempt to clear temporary file areas. It rebuilds the Winsock. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

FRSTENGLISH,exe  program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt<- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

Try to remember what you downloaded recently, because that is the likely source of the GoogleUpdater infection.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

What I wrote in the intro section, in general, was to check with me first if you were making system changes or installing new app.

None, of my wordings, meant that you were prevented from being able to use this Windows pc.

You can reasonably do your normal thing while we are not at some point running a special scan.  I have no idea why you just said  

 I can't work.

The custom-run is good. The Windows System File Checker has made some corrections. 

Windows Resource Protection found corrupt files and successfully repaired them.
This last run has completed what was originally intended. 

The Microsoft Defender antivirus in in good state, is running, and is up-to-date with definitions. and the GoogleUpdater pest infection has been removed.🔆

Further, the Microsoft Defender ought to now be clear of any "exitisng / active"  Wacatac.B!ml

Edited by Maurice Naggar
Link to post
Share on other sites
H4wK1n6

H4wK1n6

Posted
  • Author
Posted

After you told me, I looked at the protection history again and the wacatac is not there. Only nvcontainer.exe thing which is related to the Nvidia that appears there. What does it mean? Is the system clear or that was a false positive? I am asking about false positive because, I searched on the internet and there also was that it can be a false positive due the the b!ml - machine learning which leads to high probability of being false positive. But I think it is fixed now, because when it found, I told it to quarantine. And it couldn't quarantine the trojan at all. It worked with 20% of CPU for about almost 1 hour or maybe a little more than an hour and it said incomplete. After that I panicked and again clicked it just to remove it. Clicked the actions > remove instead of quarantine this time. It worked again with about 20% of CPU. Then, I again started a full scan before your warnings, because I didn't know I didn't have to start any scans, and windows defender didn't find something at all. But the trojan warning was still there. When I checked the file it shows, it was deleted from downloads. Now, how do you think? Is the system clear or that was a false positive?

I am going to full scan again with windows defender to see what is going to be found. Let me know any suggestions. I am also considering to upload every personal data and important stuff to cloud, (like google, dropbox and etc.) and then format the computer and not deleting windows or also deleting windows and making everything from zero. Would you suggest that to me?

Thank you very much again.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Let me know about the Full scan and also see about attaching report.  Then take a break.

I can have you do a new custom Fix run to be done in Safe mode  Bottom line, is that there is only just a glitch in the way that the History cleanup of MS Defender is not fully complete.

Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted

Next, After you are all caught up.

Please SAVE the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt<- < - - - -

 

Please Close all open work, Now I need for you to Logoff and Restart Windows into Safe Mode.

 

we need to place Windows into SAFE mode
You may begin to do this from the Windows-sign-in-screen. See this Microsoft support how-to-article]

 

You would need to first do a LOGOFF so that then you see a fresh sign-in screen.

FRSTENGLISH,exe  program location:   Downloads folder. The tool is already on system. That is what we will use.

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

Link to post
Share on other sites
H4wK1n6

H4wK1n6

Posted
  • Author
Posted

Btw, there is also one problem not related to security. Before everything, every process you told me, I did a system restore when I found out the trojan. Because, the language of windows spotlight in the lock-screen was changed itself. The language of the words on the lock-screen wallpaper. I searched on the internet and it was the cause of last update of windows. And the solution was to do a system restore. After the system restore, I couldn't open chrome. Again, I searched on the internet and there were some problems had the same problem. The solution was to reinstall chrome. I uninstalled from apps in control panel and tried to reinstall it through chromesetup.exe. But, when I double click to run it, "On your marks" window opens with blue-color scroll and closes after 2-3 seconds itself. After a while, I tried to open discord, same thing happened. Do you have any idea how to solve it? 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

The preceding custom FIX run is successful. A status readout on MS Defender antivirus shows it is in good and fine shape. All Defender protections are ON, it is up-to-date, and there are no outstanding threats.

On your last post, I have to say I get confused because of the layers.  I do not understand why you had done "Restores".

I am making a pure guess, for Chrome, you will need to get rid of the pre-existing Chrome setup, and do a new from scratch install ---but that is if you still want to have Chrome....which is a very difficult browser to fix. You would be better off just switching to a new different web browser like BRAVE 

Please download [url=http://www.bleepingcomputer.com/download/minitoolbox/dl/65/]MiniToolBox[/url], save it to your desktop and run it.
Checkmark the following checkboxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List last 10 Event Viewer log
List Installed Programs
List Devices
List Users, Partitions and Memory size.
List Minidump Files
List Restore Points

Click [b]Go[/b] and post the result (MTB.txt). A copy of MTB.txt will be saved in the same directory the tool is run.
 
[color=#008000][b]Note:[/b][/color] When using "Reset FF Proxy Settings" option Firefox should be closed.

 

NOTE: The original issue of the Case, -- wacatac.B and Microsoft Defender antivirus has been cured. Thus I am marking that aspect as Resolved.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Never build an installer disk from an infected computer

 

Clean Install Windows 10 & 11 (2023)

https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

 

Also, please review the following topic

 

Bypass Microsoft Online Account Creation during installation of Windows 11

https://forums.malwarebytes.com/topic/296613-bypass-microsoft-online-account-creation-during-installation-of-windows-11/

 

  • Like 1
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.