Jump to content

Recommended Posts

'Morning friends.

To give the quick summary up front, Windows Defender is claiming repeatedly to have found Trojan:Win32/Wacatac.B!ml, but neither MalwareBytes nor Kaspersky VRT find anything. Additionally, whenever I tell Windows Defender to do whatever it thinks it needs to do, it doesn't appear to accomplish anything - it claims to block and quarantine whatever it is, but then detects it again. In addition, the files it's claiming are affected, don't even exist anymore.

The MBAM log is attached, as are the Farbar Scan Recovery Tool logs. I also included the Kaspersky VRT report as a .txt file, should it help.

-----

Bit of background.

The file that apparently started all this is called MTool (direct link to the download:

https://trs.mtool.app/release.php?lang=en

- basically a translation injector that I was hoping to use to play some foreign-language RPGMaker games. It's been on Patreon for a while and has a decent sub count, not that this really means anything. Regardless, it didn't work as well as I'd hoped, so I ended up deleting it after about an hour or so of attempts. After another hour or so, Windows Defender started having its fit, so I just told it to do whatever it felt was necessary. Not sure if it succeeded or failed - it keeps claiming "threat blocked" and "threat quarantined" - but the issue is still flagged in the notices, so I'm leaning towards the latter. I ran Windows Defender's Quick, Offline, and Full scans (yes, all 3) - the first two returned absolutely nothing, the third returned the same Trojan now referencing a 3rd affected file which also, doesn't even exist anymore (the game I was trying to use MTool to translate, which had also been deleted some time ago).

While waiting for the Defender (Full) scan, I ran MBAM and Kaspersky VRT - both turned up absolutely nothing.

Thing is, before I even ran MTool, I threw it into VirusTotal to see if anything was amiss - the 1st two options, Google and something else (can't remember), returned alerts, but nothing else had an issue. At the time, I chalked that up to the usual alerts that occasionally happen with inject tools; after all, both MBAM and Kaspersky are still flagging CheatEngine and in the past, Avast had an issue with PQR. So I wasn't too surprised to see one or two VT scanners say they took issue; I was expecting it. As for the RPGmaker game itself, it's on Steam. So I'm fairly confident the problem doesn't lie there.

So...yeah. I was going to just dismiss it as Windows Defender having a fit over nothing, but the Defender (Full) scan now claiming a 3rd affected item that doesn't exist anymore is throwing me. What's also somewhat off-putting is just the degree of difference between this incident and other events in the past where I've used injector tools without issue. As I said earlier, both Kaspersky VRT and MBAM have always had an issue with CheatEngine, but both of them just flag it as "potentially unwanted." Defender has no issue with CheatEngine, but is raising absolute cain over this injector; one that neither MBAM nor Kaspersky VRT had issue with

 

Figured I'd ask people who are way smarter than I am in this field.

Cheers lads

Addition.txt FRST.txt MBAM report.txt report_2024.02.25_04.51.50.txt

Edited by AdvancedSetup
Disabled hyperlinks
Link to post
Share on other sites

Greetings,
 

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
    Start::
    CreateRestorePoint:
    ExportKey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
    Folder: C:\WINDOWS\SystemTemp
    File: E:\Mieryn\Videos\Tempdump\OverDevilCNv1.37 - ENG 1.0\winmm.dll
    File: E:\Mieryn\Videos\Tempdump\MTool\Tool\loaders\inject.exe
    End::

     

  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.
     
Edited by SQx
Link to post
Share on other sites

Hello Toastedsnow,

It looks like the defender's history needs to be cleaned up.

 

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
    Start::
    CreateRestorePoint:
    CloseProcesses:
    cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*.*"
    cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log"
    End::

     

  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

    Please note the computer will reboot.
Link to post
Share on other sites

Hello Toastedsnow,

Thank you for the info, please let's try the following.

 

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
    Start::
    CreateRestorePoint:
    CloseProcesses:
    cmd: DISM.exe /Online /Cleanup-image /Restorehealth
    cmd: sfc /scannow
    cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*.*"
    cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log"
    cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\results\quick\*.*"
    cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\results\resource\*.*"
    cmd: del /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\results\system\*.*"
    StartPowershell:
    Set-MpPreference -ScanPurgeItemsAfterDelay 1
    Update-MpSignature
    Get-MpComputerStatus
    Get-MpPreference
    EndPowershell:
    ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
    Folder: C:\Windows\System32\Tasks_Migrated
    End::
    
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

    Please note the computer will reboot.
Edited by SQx
Link to post
Share on other sites

Here it is. Also, bit of a curious thing.

After running, it did its whole thing, restarted, etc. I logged back in and no change - Defender still raising cain over nonexistent files. So I went and had a piece of christmas pudding. Came back, maybe 20m later, and restarted again, just to see what would happen. And behold, no Defender screaming at me the second time around. Maybe it just needed to mull things over for a bit

Fixlog.txt

Link to post
Share on other sites

Greetings,

Yeah, according your log Windows Resource Protection found corrupt files and successfully repaired them.

Quote

Windows Resource Protection found corrupt files and successfully repaired them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log.

So should be ok now. Please let me know otherwise.
 

The following information will help you to keep your computer and data safer as well as improve your overall privacy

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/780233/best-password-manager/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Cybersecurity basics & protection
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity

 

Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.