Trojan:Script/Wacatac.B!ml

[shrtshrt]

I did a scan on my computer and Windows Security revealed that I had a Trojan by the name of Trojan:Script/Wacatac.B!ml on my device. I ran Security on offline mode and removed the threat afterword, but I'm afraid it's still on my computer and I'm not sure if I can even trust Windows Security to begin with since it is a bit finicky. How can I be sure that the Trojan is gone? And how can I make sure that my device is not infected with anything else?

I'm also not sure where the Trojan has originated from. It could've been from some .rar files I had downloaded. Scanner also says that the file had originated from: AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000188 .

[Porthos]

@shrtshrt

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes: Please pay close attention the the instructions in all of the following links.

• If you have not done so already - Enable System Protection and create a NEW System Restore Point
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

Please run the following scans: Please pay close attention the the instructions in all of the following links.

1. Click the following link and run a  Scan with AdwCleaner
2. Click the following link and run a  Scan with Malwarebytes 
      RESTART the computer
3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 

Example image of where to click to attach files when posting your reply

Then be patient for the next expert to take your case.

 

Thank you

[shrtshrt]

1 hour ago, Porthos said:

@shrtshrt

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes: Please pay close attention the the instructions in all of the following links.

• If you have not done so already - Enable System Protection and create a NEW System Restore Point
• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

Please run the following scans: Please pay close attention the the instructions in all of the following links.

1. Click the following link and run a  Scan with AdwCleaner
2. Click the following link and run a  Scan with Malwarebytes 
      RESTART the computer
3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 

Example image of where to click to attach files when posting your reply

Then be patient for the next expert to take your case.

 

Thank you

ADW and Malwarebytes showed 0 threats. But regardless, here are the files:

Addition.txt AdwCleaner[S00].txt FRST.txt Malwarebytes Scan Report 2024-04-21 020620.txt

[AdvancedSetup]

Hello @shrtshrt

Please clean up Microsoft Edge browser. The after cleaning run the AV scanner below.

 

Please try to clean and reset ALL sync data from the Microsoft Edge browser

Reset Microsoft Edge data in the cloud
https://learn.microsoft.com/en-us/deployedge/edge-learnmore-reset-data-in-cloud

 

 

After cleaning EDGE run this scan

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

 

 

[shrtshrt]

10 hours ago, AdvancedSetup said:

Hello @shrtshrt

Please clean up Microsoft Edge browser. The after cleaning run the AV scanner below.

 

Please try to clean and reset ALL sync data from the Microsoft Edge browser

Reset Microsoft Edge data in the cloud
https://learn.microsoft.com/en-us/deployedge/edge-learnmore-reset-data-in-cloud

 

 

After cleaning EDGE run this scan

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

 

 

Nothing detected; here's the file:

report_2024.04.21_10.44.58.txt

[AdvancedSetup]

Thank you for the log.

Please run the following. There should be 5 logs to attach.

 

Scan with Malwarebytes
https://forums.malwarebytes.com/topic/304827-scan-with-malwarebytes/

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

 

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

 

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Thank you

 

[shrtshrt]

3 hours ago, AdvancedSetup said:

Thank you for the log.

Please run the following. There should be 5 logs to attach.

 

Scan with Malwarebytes
https://forums.malwarebytes.com/topic/304827-scan-with-malwarebytes/

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

 

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

 

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Thank you

 

Still in the clear; here's the files:

FSS.txt SecurityCheck.txt Malwarebytes Scan Report 2024-04-22 211220.txt Addition.txt FRST.txt

[AdvancedSetup]

Thank you for the logs

 

 

Please make the following change in Malwarebytes if you're using the Premium or Trial version

• Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the General tab.
• Then turn off "Always register Malwarebytes in the Windows Security Center"
• Restart the computer

 

It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions
between Malwarebytes and Windows Defender

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

 

Then run the following

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

• NOTICE: This script was written specifically for this user, for use on this particular machine.
• Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\kostk\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
               Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[shrtshrt]

57 minutes ago, AdvancedSetup said:

Thank you for the logs

 

 

Please make the following change in Malwarebytes if you're using the Premium or Trial version

• Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the General tab.
• Then turn off "Always register Malwarebytes in the Windows Security Center"
• Restart the computer

 

It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions
between Malwarebytes and Windows Defender

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

 

Then run the following

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

• NOTICE: This script was written specifically for this user, for use on this particular machine.
• Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\kostk\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
               Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt 56.16 kB · 1 download

Thanks

 

Alright, I ran the program. Here's the log:

Fixlog.txt

[AdvancedSetup]

Thank you for the log. It ran well and also found and fixed some other Windows issues.

Windows Resource Protection found corrupt files and successfully repaired them.

 

Did you turn off Register Malwarebytes with the Security Center?

 

How is the computer running now?

Are there still any signs of infection or any other unresolved issues?

 

[shrtshrt]

16 minutes ago, AdvancedSetup said:

Thank you for the log. It ran well and also found and fixed some other Windows issues.

Windows Resource Protection found corrupt files and successfully repaired them.

 

Did you turn off Register Malwarebytes with the Security Center?

 

How is the computer running now?

Are there still any signs of infection or any other unresolved issues?

 

My bad for not mentioning before, but I did in fact did turn off the "Register Malawarebytes with the Security Center" setting in the menu. As for any signs of infection, Windows Security says that there aren't anymore threats, same with Malwarebytes. Should I run an offline scan (with Windows Security) just to be safe? There aren't any problems, and my computer is running smooth, but I want to be sure either way.

[AdvancedSetup]

You can run an offline AV scan with Microsoft Windows Defender. No harm

 

Please run the following

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

[shrtshrt]

56 minutes ago, AdvancedSetup said:

You can run an offline AV scan with Microsoft Windows Defender. No harm

 

Please run the following

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

I ran the Offline Scan and it said I was in the clear again. I attached the file from the Security Check scan below:

SecurityCheck.txt

[AdvancedSetup]

Thank you for the log

Please look at updating the following software if needed

• AMD Software v.21.10.26.06 Warning! Download Update
• Java 8 Update 401 v.8.0.4010.10 Warning! Download Update | Uninstall old version and install new one (jre-8u411-windows-i586.exe).

Then RESTART the computer and check for Windows Updates and install any found

 

Let me know if there are still any signs of infection or any other unresolved issues

Thank you

 

[shrtshrt]

16 hours ago, AdvancedSetup said:

Thank you for the log

Please look at updating the following software if needed

• AMD Software v.21.10.26.06 Warning! Download Update
• Java 8 Update 401 v.8.0.4010.10 Warning! Download Update | Uninstall old version and install new one (jre-8u411-windows-i586.exe).

Then RESTART the computer and check for Windows Updates and install any found

 

Let me know if there are still any signs of infection or any other unresolved issues

Thank you

 

Everything's now up-to-date; No infections detected either. Everything should be fine now, I hope.

Thanks for guiding me throughout this whole ordeal and helping me in the process, I really appreciate it :)

[AdvancedSetup]

Excellent, glad to hear all is well again. I'll go ahead and close your topic now and wish you well.

Please follow the directions below to remove the logs and tools we've used. If any are still left after that you can manually uninstall or delete them.

Take care and stay safe out there. Try to follow as much of the advise below as you can as well.

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt. You can close it.

 

We're glad that we were able to assist you.

 

The following information will help you to keep your computer and data safer as well as improve your overall privacy

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/780233/best-password-manager/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Cybersecurity basics & protection
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity

 

Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal