Trojan Win32/Wacatac b ml là gì

Windows 10 21H1, detected Trojan:Win32/Wacatac.B!ml in this folder path - Appdata\LocalLow\IG Dump [this folder had some two three folders with randomized alphabetical long names and each had an .exe and a .ext file].

The folder got deleted as soon as I opened it, probably by Windows Defender [as soon as I tried to take action on the threat and remove it from the windows security, it reloaded and showed it had already removed the threat. Folders were deleted]

The detection happened when I was running a normal scan with MalwareBytes free version [MalwareBytes did not detect anything.]

Ran RKill and tried to run Hitman Pro but laptop freezed everytime as soon as the scan started.

Ran RKill and Hitman Pro in safe mode, nothing was detected.

I have Farbar Recovery Tool also [Downloaded it from here for scenarios like these, never used it]

Any help to ensure the malware is gone would be appreciated

EDIT: Ran Farbar and here are the log files:

Edited by Ghajni, 10 September 2021 - 04:39 AM.

Hi,

I already reported the issue to the Malwarebytes Team to check things further.

As for the file regarding the File Path, it is probably used by Coin Wallet [but I didn't see it installed on your PC, so maybe it is a part of Cryptomator you are using].

Will reply back when I have more information.

Regards,

George

Cryptomator is an open source encryption software, and I haven't ran it in a while, yet the date modified column of the update.exe shows a recent date [30th August 2021]. Or maybe I'm reading too much into this.

Hi,

In the meantime, can you update Windows Defender definitions to see if the issue still persist?

1. Open Command Prompt as administrator and copy/paste the following command cd %ProgramFiles%\Windows Defender and hit Enter.
2. While you are in CMD now, copy/paste MpCmdRun.exe -removedefinitions -dynamicsignatures and hit Enter.
3. Now copy/paste this command MpCmdRun.exe -SignatureUpdate and hit Enter.

Check if the issue still remains.

I am running these commands. However before this I had already ran a custom scan of the Appdata folder and a quick scan from windows defender and it had not shown anything. The actual detection of the Trojan that I posted about only happened when Mawarebytes was running a scan [ie the threat detected notification only popped up during the scan]

UPDATE: Can't seem to update windows even when I've disabled my custom dns and am using my normal isp dns. Error code 0x800f081f. Have tried steps including running update troubleshooter, using DISM and sfc/scannow, directly downloading from windows update catalog and Clearing Windows Update Cache & components

[Followed the steps from //answers.microsoft.com/en-us/windows/forum/all/windows-10-cumulative-update-error-0x800f081f/5e513035-a9f1-46e2-87af-58fa890dc123?auth=1

Edited by Ghajni, 10 September 2021 - 02:46 PM.

Cryptomator is an open source encryption software, and I haven't ran it in a while, yet the date modified column of the update.exe shows a recent date [30th August 2021]. Or maybe I'm reading too much into this.

Where did you see that? It didn't show in the One created [modified] or One month [modified] in your FRST log.

The only entry related is this one:

HKU\S-1-5-21-1470558796-4169206288-2029635424-1001\...\Run: [Join Desktop] => C:\Users\shiva\AppData\Local\com\update.exe [1828352 2018-10-30] [GitHub] [File not signed]

By the way, update.exe have a description GitHub and cryptomator seems to be on that platform as well.

//github.com/cryptomator/cryptomator

The file looks clean regarding VT, but we can easily remove it if you want.

Regards,

George

Cryptomator is an open source encryption software, and I haven't ran it in a while, yet the date modified column of the update.exe shows a recent date [30th August 2021]. Or maybe I'm reading too much into this.

Where did you see that? It didn't show in the One created [modified] or One month [modified] in your FRST log.

The only entry related is this one:

HKU\S-1-5-21-1470558796-4169206288-2029635424-1001\...\Run: [Join Desktop] => C:\Users\shiva\AppData\Local\com\update.exe [1828352 2018-10-30] [GitHub] [File not signed]

By the way, update.exe have a description GitHub and cryptomator seems to be on that platform as well.

//github.com/cryptomator/cryptomator

The file looks clean regarding VT, but we can easily remove it if you want.

I am running these commands. However before this I had already ran a custom scan of the Appdata folder and a quick scan from windows defender and it had not shown anything. The actual detection of the Trojan that I posted about only happened when Mawarebytes was running a scan [ie the threat detected notification only popped up during the scan]

UPDATE: Can't seem to update windows even when I've disabled my custom dns and am using my normal isp dns. Error code 0x800f081f. Have tried steps including running update troubleshooter, using DISM and sfc/scannow, directly downloading from windows update catalog and Clearing Windows Update Cache & components

[Followed the steps from //answers.microsoft.com/en-us/windows/forum/all/windows-10-cumulative-update-error-0x800f081f/5e513035-a9f1-46e2-87af-58fa890dc123?auth=1

Yes, I know. But the idea was to check if Microsoft has fixed this false positive. A workaround could be to disable Windows Defender when scanning with Malwarebytes and turn it back when the scan is done.

As for Windows Update you can try Tweaking.com

Please download Windows Repair [all in one] from here

Install the program, then right-click on the program's icon on your desktop and click "Run As Administrator".

NOTE: Disable your antivirus program before running Windows Repair.

Accept the agreement and then go to Backup Tools and click on the Backup [under Registry Backup [Recommended]].

When done, click on the Create [Under System Restore].

Go to Repairs - Main tab and click the Open Repairs button.

Accept the warning by clicking on I understand the risks [Close the warning].

Check only 16 - Repair WIndows Updates and uncheck the rest.

Click the Start Repairs button.

DON'T use the computer while each scan is in progress.

When done, please restart the computer and attach the Windows Repair log, which is located in the following folder:

C:\Program Files [x86]\Tweaking.com\Windows Repair [All in One]\Logs to your next reply.

Regards,

George

Thank you for the reply, I've attached the log file.

I do not think my windows update problem has been fixed, but I think it would be more appropriate to create a topic on the windows 10 support forum no?

As my 'malware' problem has been resolved.

Again, thank you so much for your help

Edited by Ghajni, 11 September 2021 - 04:29 AM.

Thank you for the reply, I've attached the log file.

I do not think my windows update problem has been fixed, but I think it would be more appropriate to create a topic on the windows 10 support forum no?

As my 'malware' problem has been resolved.

Again, thank you so much for your help

Hi,

I am sorry to hear that tweaking tool did not fix your issue with the updates. Yes, you can open a new topic there or here:

//www.sysnative.com/forums/threads/windows-update-forum-posting-instructions.4736/

They are specialized in resolving such problems.

Another option is to try in-place upgrade, keeping your data:

//www.tenforums.com/tutorials/16397-repair-install-windows-10-place-upgrade.html

In the topic you posted, one of the users mentioned that the Assistant tool helped: [maybe you could give it a try as well]:

//support.microsoft.com/en-us/topic/windows-10-update-assistant-3550dfb2-a015-7765-12ea-fba2ac36fb3f

As for the "malware" issue, does it mean that Windows Defender is no longer detecting MBAM files as a threat?

Regards,

George

Already tried the in place upgrade, although the updates are taking place, it is going extremely slow [I do have a fast internet so it's not a question of speed].

Windows Update Assistant is more or less useless imo, already tried it a couple of times.

No idea, but now I know even if Defender does detect those MBAM files as a threat, I know it's a false positive?

Already tried the in place upgrade, although the updates are taking place, it is going extremely slow [I do have a fast internet so it's not a question of speed].

Windows Update Assistant is more or less useless imo, already tried it a couple of times.

No idea, but now I know even if Defender does detect those MBAM files as a threat, I know it's a false positive?

So then the Sysnative forum is your best bet.

Yes, I believe it is a false positive. As stated in the Malwarebytes forum:

IG is part of the new scan engine in Malwarebytes version 4. Blocking/interfering with this will impact the effectiveness of your Malwarebytes scans.

Windows Defender:
================
Date: 2021-09-10 14:29:17
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
//go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wacatac.B!ml&threatid=2147735505&enterprise=0
Name: Trojan:Win32/Wacatac.B!ml
Severity: Severe
Category: Trojan
Path: file:_C:\Users\shiva\AppData\LocalLow\IGDump\tzlgzycgoswqcidokebrtbxlixeevanh\awcmdfrpmtgbesksmzatxidjpckycsxh.ext
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Users\shiva\AppData\LocalLow\IGDump\tzlgzycgoswqcidokebrtbxlixeevanh\ig.exe
Security intelligence Version: AV: 1.349.461.0, AS: 1.349.461.0, NIS: 1.349.461.0
Engine Version: AM: 1.1.18500.10, NIS: 1.1.18500.10

Date: 2021-09-10 14:27:36
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
//go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sabsik.FL.A!ml&threatid=2147780195&enterprise=0
Name: Trojan:Win32/Sabsik.FL.A!ml
Severity: Severe
Category: Trojan
Path: file:_C:\Users\shiva\AppData\LocalLow\IGDump\hljkweiyskndbzlohurafovqviuithkk\ixeecrjaxdmvzaudmmuhdcecygyfjisf.ext
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Users\shiva\AppData\LocalLow\IGDump\hljkweiyskndbzlohurafovqviuithkk\ig.exe
Security intelligence Version: AV: 1.349.461.0, AS: 1.349.461.0, NIS: 1.349.461.0
Engine Version: AM: 1.1.18500.10, NIS: 1.1.18500.10

I hope that Microsoft will fix this in some of the next updates.

Regards,

George

Do you still need assistance with something, or I can close the topic?

You said that after the In-Place upgrade you are no longer having issues when installing updates [the error is gone] but only the speed is slow?

1. You can try to reset the TCP/IP stack, firewall and proxy settings and to reset the hosts file by using this bat file =>

internet.bat

2. Check for driver update for the network card.

3. Try to temporarily disable your security products and see if there is any difference [and even uninstall them for the test].

4. Check your router settings and also see if there is any firmware update available.

5. Ask your Internet provided for assistance.

6. This may worth a try as well:

//www.speedguide.net/forums/showthread.php?285301-TCP-Optimizer-4-0-Beta-released-[Windows-8-10-2012-Server-are-all-supported]

Select your connection speed and check the Optimal profile and click Apply Changes.

Regards,

George

Hi George

For the moment it is updating properly.

If something pops up again I think I'll be better off doing a clean install since it'll fix everything [don't have a hardware issue or anything so no worries about that].

I'll write down all of these suggestions somewhere to keep in mind before going nuclear though, thank you.

Thank you so much for your help, and yes please mark this topic as closed.

PS: When I open that speedforum link I am greeted by a message that my ip has been banned