PC infected with multiple trojans, affects my online accounts

[waza]

I've made the classic mistake of downloading a cracked version of something online and since then I've had trojans enter my computer but they still seem to affect my device. I've had my Reddit account locked 3 times because someone tried to use my account to spam join a bunch of subreddits, despite changing my password each time (wrote it down physically and nowhere else) and having 2FA on. I get a ghost notif in my Google email's active devices that someone is having a session active on Youtube on TV despite not having my TV turned on and also having a safe pw and 2FA on. I've had someone attempt to hack my Facebook but Firefox thankfully blocked it. These are just a few examples and I'm typing this here to hopefully prevent anything worse.

Almost all of them have been blocked/quarantined except the one in the pic below. I've tried following the advice in this thread (https://forums.malwarebytes.com/topic/307520-help-needed-to-remove-trojanwin32wacatacbml) because I've also had wacatac enter my device multiple times in short succession but it says it got quarantined or blocked, though it might still be a threat for all I know. I stopped at the part where OP is told about a custom link since that won't apply to my device. Now I don't know what to do. I would appreciate any help I can get.

[waza]

Okay, I'm new to this forum so I don't know why my picture with the detected virus didn't show up, let me know where I can change that, sorry.

[AdvancedSetup]

Hello @waza and

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes:

• If you have not done so already - Enable System Protection and create a NEW System Restore Point
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

Please run the following scans:

1. Click the following link and run a  Scan with AdwCleaner
2. Click the following link and run a  Scan with Malwarebytes 
      RESTART the computer
3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 
    

Example image of where to click to attach files when posting your reply

 

Thank you

 

[waza]

The Malwarebytes scan didn't detect anything but I've decided to send the log from some hours earlier today.

These are also the pictures from Windows Security of the trojans my PC detected. (In the last picture, the most recent two threats were the same virus and targeted the same file so I only took one screenshot)

Addition.txt FRST.txt AdwCleaner-C00-.txt Malwarebytes Scan Report 2024-02-29 170256.txt

[AdvancedSetup]

Okay, let's go ahead then and scan with the Microsoft Scanner and get a log from them.

If this is truly a virus file infector then we'll have to verify the details for data backup before reinstalling Windows.

 

 

 

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

[waza]

msert.log

[AdvancedSetup]

Just the Tamper settings

Let's go ahead and run another scanner

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get started. 
• When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
• On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
• When prompted for scan type, Click on the Full Scan button
• Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
• Have patience.  The entire process may take a few hours or more.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log and give it a name and location you remember.
• If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
• Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

[waza]

esett.txt

[AdvancedSetup]

Based on ESET also finding other items, let's go ahead and run a Kaspersky scan as well

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

 

 

[waza]

report_2024.03.04_14.55.59.klr.txt

[AdvancedSetup]

Let's try clearing all the history from Windows Defender manually.

Please do the following

Click on Start and type CMD.EXE and when it shows, right-click over it and select to "Run as administrator"

Then type the following and press the Enter key

MD  C:\ClearWD

Then open the File Explorer to that new folder and right click and select New -- >> Text Document

Then open it with Notepad. Then copy and paste the following into the blank document

@echo off
pushd "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory"
echo Current folder is: %CD%
rd /q /s "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory"
popd
pushd "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service"
echo Current folder is: %CD%
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\*.log"
popd
pushd "C:\ProgramData\Microsoft\Windows Defender\Scans"
echo Current folder is: %CD%
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache*"
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db"
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db-wal"
popd
pushd "C:\ProgramData\Microsoft\Windows Defender\Support"
echo Current folder is: %CD%
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Support\*.log"
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing*"
popd
pushd "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store"
echo Current folder is: %CD%
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\*"
popd
wevtutil cl "Microsoft-Windows-Windows Defender/Operational"
pause

Then save the document.

Then rename the extension from .TXT to .BAT

The file should now be called C:\ClearWD\ClearWDHistory.bat

Once that is set up restart the computer into the Recovery Environment

You can enter the Recovery Mode by copying and pasting the following into the command prompt

Make sure you save all open documents first and close all programs as the computer will restart.

shutdown /r /o

 

From the Recovery Mode select the COMMAND PROMPT

Normally it will open as X:

In most cases you simply need to type C: and press the Enter key to get to the C: drive.

Then you'd type CD ClearWD and press the Enter key

Then type ClearWDHistory.bat  and press the Enter key

That should run and clear out your Windows Defender History

Then restart into Normal Mode and wait about 5 minutes and then recheck Windows Defender

 

Let me know if you have any questions

 

 

[waza]

It says it isn't recognizing ClearWD as a specified path and it's not recognizing the .bat file either. When I copy pasted that info into the ClearWD file I had to manually rename it to ClearWDHistory, not sure if I did what I was supposed to or not.

[AdvancedSetup]

Let me send you a Private Message

 

[AdvancedSetup]

Issue corrected via PM

 

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• Please attach that file to your next reply. (not compulsory)

We're glad that we were able to assist you.

The following information will help you to keep your computer and data safer as well as improve your overall privacy

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/780233/best-password-manager/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Cybersecurity basics & protection
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity

 

Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal