shrtshrt Posted April 21 ID:1631609 Share Posted April 21 I did a scan on my computer and Windows Security revealed that I had a Trojan by the name of Trojan:Script/Wacatac.B!ml on my device. I ran Security on offline mode and removed the threat afterword, but I'm afraid it's still on my computer and I'm not sure if I can even trust Windows Security to begin with since it is a bit finicky. How can I be sure that the Trojan is gone? And how can I make sure that my device is not infected with anything else? I'm also not sure where the Trojan has originated from. It could've been from some .rar files I had downloaded. Scanner also says that the file had originated from: AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000188 . Link to post Share on other sites More sharing options...
Porthos Posted April 21 ID:1631612 Share Posted April 21 @shrtshrt Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware. Please respond to all future instructions from your helper in a timely manner. Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process Then follow each step in the order provided. Unless otherwise asked, please attach all logs Please make the following system changes: Please pay close attention the the instructions in all of the following links. If you have not done so already - Enable System Protection and create a NEW System Restore Point Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed Disable-Fast-Startup Show-Hidden-Folders-Files-Extensions Please run the following scans: Please pay close attention the the instructions in all of the following links. Click the following link and run a Scan with AdwCleaner Click the following link and run a Scan with Malwarebytes RESTART the computer Click the following link and run a Scan with Farbar Recovery Scan Tool Example image of where to click to attach files when posting your reply Then be patient for the next expert to take your case. Thank you Link to post Share on other sites More sharing options...
shrtshrt Posted April 21 Author ID:1631629 Share Posted April 21 1 hour ago, Porthos said: @shrtshrt Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware. Please respond to all future instructions from your helper in a timely manner. Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process Then follow each step in the order provided. Unless otherwise asked, please attach all logs Please make the following system changes: Please pay close attention the the instructions in all of the following links. If you have not done so already - Enable System Protection and create a NEW System Restore Point Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed Disable-Fast-Startup Show-Hidden-Folders-Files-Extensions Please run the following scans: Please pay close attention the the instructions in all of the following links. Click the following link and run a Scan with AdwCleaner Click the following link and run a Scan with Malwarebytes RESTART the computer Click the following link and run a Scan with Farbar Recovery Scan Tool Example image of where to click to attach files when posting your reply Then be patient for the next expert to take your case. Thank you ADW and Malwarebytes showed 0 threats. But regardless, here are the files: Addition.txt AdwCleaner[S00].txt FRST.txt Malwarebytes Scan Report 2024-04-21 020620.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 21 Root Admin ID:1631650 Share Posted April 21 Hello @shrtshrt Please clean up Microsoft Edge browser. The after cleaning run the AV scanner below. Please try to clean and reset ALL sync data from the Microsoft Edge browser Reset Microsoft Edge data in the cloud https://learn.microsoft.com/en-us/deployedge/edge-learnmore-reset-data-in-cloud After cleaning EDGE run this scan Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop. (Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021) Download: Kaspersky Virus Removal Tool https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe How to run a scan with Kaspersky Virus Removal Tool 2020 https://support.kaspersky.com/15674 How to run Kaspersky Virus Removal Tool 2020 in the advanced mode https://support.kaspersky.com/15680 How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan https://support.kaspersky.com/15681 Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box. That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed... Thank you Link to post Share on other sites More sharing options...
shrtshrt Posted April 21 Author ID:1631703 Share Posted April 21 10 hours ago, AdvancedSetup said: Hello @shrtshrt Please clean up Microsoft Edge browser. The after cleaning run the AV scanner below. Please try to clean and reset ALL sync data from the Microsoft Edge browser Reset Microsoft Edge data in the cloud https://learn.microsoft.com/en-us/deployedge/edge-learnmore-reset-data-in-cloud After cleaning EDGE run this scan Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop. (Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021) Download: Kaspersky Virus Removal Tool https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe How to run a scan with Kaspersky Virus Removal Tool 2020 https://support.kaspersky.com/15674 How to run Kaspersky Virus Removal Tool 2020 in the advanced mode https://support.kaspersky.com/15680 How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan https://support.kaspersky.com/15681 Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box. That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed... Thank you Nothing detected; here's the file: report_2024.04.21_10.44.58.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 22 Root Admin ID:1631877 Share Posted April 22 Thank you for the log. Please run the following. There should be 5 logs to attach. Scan with Malwarebytes https://forums.malwarebytes.com/topic/304827-scan-with-malwarebytes/ Scan with SecurityCheck by glax24 https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/ Scan with FSS Farbar Service Scanner https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/ Scan with Farbar Recovery Scan Tool https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/ Thank you Link to post Share on other sites More sharing options...
shrtshrt Posted April 22 Author ID:1631966 Share Posted April 22 3 hours ago, AdvancedSetup said: Thank you for the log. Please run the following. There should be 5 logs to attach. Scan with Malwarebytes https://forums.malwarebytes.com/topic/304827-scan-with-malwarebytes/ Scan with SecurityCheck by glax24 https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/ Scan with FSS Farbar Service Scanner https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/ Scan with Farbar Recovery Scan Tool https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/ Thank you Still in the clear; here's the files: FSS.txt SecurityCheck.txt Malwarebytes Scan Report 2024-04-22 211220.txt Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted April 22 Root Admin Solution ID:1631974 Share Posted April 22 Thank you for the logs Please make the following change in Malwarebytes if you're using the Premium or Trial version Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the General tab. Then turn off "Always register Malwarebytes in the Windows Security Center" Restart the computer It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions between Malwarebytes and Windows Defender Malwarebytes for Windows antivirus exclusions list https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list Then run the following Please run the following fix NOTE: Please read all of the information below before running this fix. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply Farbar program: FRSTEnglish.exe Save the attached file: FIXLIST.TXT to this folder C:\Users\kostk\Downloads\ NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it. Run the Farbar program with Admin rights and press the Fix button just once and wait. The fix may possibly take up to 60 minutes to complete If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply. NOTE: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Discord cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Thanks Link to post Share on other sites More sharing options...
shrtshrt Posted April 22 Author ID:1631981 Share Posted April 22 57 minutes ago, AdvancedSetup said: Thank you for the logs Please make the following change in Malwarebytes if you're using the Premium or Trial version Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the General tab. Then turn off "Always register Malwarebytes in the Windows Security Center" Restart the computer It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions between Malwarebytes and Windows Defender Malwarebytes for Windows antivirus exclusions list https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list Then run the following Please run the following fix NOTE: Please read all of the information below before running this fix. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply Farbar program: FRSTEnglish.exe Save the attached file: FIXLIST.TXT to this folder C:\Users\kostk\Downloads\ NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it. Run the Farbar program with Admin rights and press the Fix button just once and wait. The fix may possibly take up to 60 minutes to complete If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply. NOTE: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Discord cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt 56.16 kB · 1 download Thanks Alright, I ran the program. Here's the log: Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 23 Root Admin ID:1631988 Share Posted April 23 Thank you for the log. It ran well and also found and fixed some other Windows issues. Windows Resource Protection found corrupt files and successfully repaired them. Did you turn off Register Malwarebytes with the Security Center? How is the computer running now? Are there still any signs of infection or any other unresolved issues? Link to post Share on other sites More sharing options...
shrtshrt Posted April 23 Author ID:1631995 Share Posted April 23 16 minutes ago, AdvancedSetup said: Thank you for the log. It ran well and also found and fixed some other Windows issues. Windows Resource Protection found corrupt files and successfully repaired them. Did you turn off Register Malwarebytes with the Security Center? How is the computer running now? Are there still any signs of infection or any other unresolved issues? My bad for not mentioning before, but I did in fact did turn off the "Register Malawarebytes with the Security Center" setting in the menu. As for any signs of infection, Windows Security says that there aren't anymore threats, same with Malwarebytes. Should I run an offline scan (with Windows Security) just to be safe? There aren't any problems, and my computer is running smooth, but I want to be sure either way. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 23 Root Admin ID:1632001 Share Posted April 23 You can run an offline AV scan with Microsoft Windows Defender. No harm Please run the following Scan with SecurityCheck by glax24 https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/ Link to post Share on other sites More sharing options...
shrtshrt Posted April 23 Author ID:1632009 Share Posted April 23 56 minutes ago, AdvancedSetup said: You can run an offline AV scan with Microsoft Windows Defender. No harm Please run the following Scan with SecurityCheck by glax24 https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/ I ran the Offline Scan and it said I was in the clear again. I attached the file from the Security Check scan below: SecurityCheck.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 23 Root Admin ID:1632015 Share Posted April 23 Thank you for the log Please look at updating the following software if needed AMD Software v.21.10.26.06 Warning! Download Update Java 8 Update 401 v.8.0.4010.10 Warning! Download Update | Uninstall old version and install new one (jre-8u411-windows-i586.exe). Then RESTART the computer and check for Windows Updates and install any found Let me know if there are still any signs of infection or any other unresolved issues Thank you Link to post Share on other sites More sharing options...
shrtshrt Posted April 23 Author ID:1632148 Share Posted April 23 16 hours ago, AdvancedSetup said: Thank you for the log Please look at updating the following software if needed AMD Software v.21.10.26.06 Warning! Download Update Java 8 Update 401 v.8.0.4010.10 Warning! Download Update | Uninstall old version and install new one (jre-8u411-windows-i586.exe). Then RESTART the computer and check for Windows Updates and install any found Let me know if there are still any signs of infection or any other unresolved issues Thank you Everything's now up-to-date; No infections detected either. Everything should be fine now, I hope. Thanks for guiding me throughout this whole ordeal and helping me in the process, I really appreciate it :) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 23 Root Admin ID:1632167 Share Posted April 23 Excellent, glad to hear all is well again. I'll go ahead and close your topic now and wish you well. Please follow the directions below to remove the logs and tools we've used. If any are still left after that you can manually uninstall or delete them. Take care and stay safe out there. Try to follow as much of the advise below as you can as well. Let's go ahead and do some clean-up work and remove the tools and logs we've run. Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. You can close it. We're glad that we were able to assist you. The following information will help you to keep your computer and data safer as well as improve your overall privacy Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site. https://www.howtogeek.com/780233/best-password-manager/ Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/ Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download https://patchmypc.com/about-us Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2 Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security Malwarebytes Browser Guard Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/ uBlock Origin Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin Cybersecurity basics & protection Everything you need to know about cybercrime https://www.malwarebytes.com/cybersecurity Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog https://blog.malwarebytes.com/ Hopefully, we've been able to assist you with correcting your system issues. Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal Link to post Share on other sites More sharing options...
Recommended Posts