Trojan Wacatac.B!ml
Solved/Closed
Sephi
-
bazfile Posted messages 58430 Registration date Status Modérateur Last intervention -
bazfile Posted messages 58430 Registration date Status Modérateur Last intervention -
Hello,
I'm sorry to bother you but I hope you can help me.
I run a quick analysis of my system every day using Windows Defender and today it detected a threat "Wacatac.B!ml" (file: C:\Users\sephi\AppData\Local\Temp\CF\VIBqVWp6iUGyUjm5nT7QkQ\1.zip)
I don’t recall downloading anything in the last two days so I don’t know where it comes from. I’m attaching the FRST analysis files.
FRST: https://pjjoint.malekal.com/files.php?id=FRST_20210819_c6y15i13p15h7
Addition: https://pjjoint.malekal.com/files.php?id=20210819_r14j11s15t11r15
Shortcut: https://pjjoint.malekal.com/files.php?id=20210819_z6e8p14f12x13
Thank you
Edit: I wanted to add that the Windows Defender report, when it detects this threat and offers me the usual options to take action, seems to resolve itself after a few seconds without me having time to intervene.
Configuration: Windows / Firefox 91.0
I'm sorry to bother you but I hope you can help me.
I run a quick analysis of my system every day using Windows Defender and today it detected a threat "Wacatac.B!ml" (file: C:\Users\sephi\AppData\Local\Temp\CF\VIBqVWp6iUGyUjm5nT7QkQ\1.zip)
I don’t recall downloading anything in the last two days so I don’t know where it comes from. I’m attaching the FRST analysis files.
FRST: https://pjjoint.malekal.com/files.php?id=FRST_20210819_c6y15i13p15h7
Addition: https://pjjoint.malekal.com/files.php?id=20210819_r14j11s15t11r15
Shortcut: https://pjjoint.malekal.com/files.php?id=20210819_z6e8p14f12x13
Thank you
Edit: I wanted to add that the Windows Defender report, when it detects this threat and offers me the usual options to take action, seems to resolve itself after a few seconds without me having time to intervene.
Configuration: Windows / Firefox 91.0
2 réponses
Hello,
this file is in the temporary folders of Windows and comes from the curseforge software, which is linked to the Overwolf software. If you are sure about these two programs, it is certainly a false positive from Windows Defender.
To delete the file found by Windows Defender, do the following.
Procedure to follow in the indicated order:
1- Open FRST as an administrator by right-clicking on FRST and choosing run as administrator
2 - Copy the entire script from the box below:
3- Once the script is copied, click on Fix, FRST will automatically take the script from the clipboard.
Let the fix complete and once it's done, you will be prompted to restart your PC. Please do so as soon as you are prompted, see below.
Then, once your computer has restarted:
4- You will have a Fixlog file on your desktop; then send these reports to https://www.cjoint.com/ see this tutorial and then provide the link generated by Cjoint in your next message.
--
bazfile
Moderator/Security Contributor.
A hello, a response, a thank you are always appreciated.
this file is in the temporary folders of Windows and comes from the curseforge software, which is linked to the Overwolf software. If you are sure about these two programs, it is certainly a false positive from Windows Defender.
To delete the file found by Windows Defender, do the following.
Procedure to follow in the indicated order:
1- Open FRST as an administrator by right-clicking on FRST and choosing run as administrator
2 - Copy the entire script from the box below:
Start::
CreateRestorePoint:
CloseProcesses:
C:\Users\sephi\AppData\Local\Temp\CF\VIBqVWp6iUGyUjm5nT7QkQ\1.zip
EmptyTemp:
End::
3- Once the script is copied, click on Fix, FRST will automatically take the script from the clipboard.
Let the fix complete and once it's done, you will be prompted to restart your PC. Please do so as soon as you are prompted, see below.
Then, once your computer has restarted:
4- You will have a Fixlog file on your desktop; then send these reports to https://www.cjoint.com/ see this tutorial and then provide the link generated by Cjoint in your next message.
5- CHECK AND LET ME KNOW IF YOUR ISSUE IS STILL PRESENT
.--
bazfile
Moderator/Security Contributor.
A hello, a response, a thank you are always appreciated.
Thank you for your quick response. I'm pretty sure that Curseforge and Overwolf are safe, but I still carried out the procedure and restarted the computer. I've since performed a new Windows Defender scan which still detects this threat while scanning, asks me to intervene before disappearing from the report, and then, at the end of the scan, states that no threats have been found.
I am attaching the Fixlog below:
Fixlog: https://pjjoint.malekal.com/files.php?id=20210819_c9q11r13y7e8