How To Remove Trojan Win32

[Salomon Thoj]

HiNowadays, I have some performance problems in games and other applications on my PC. I knew something was not right, and I started a full scan through the Windows Defender. It found the Trojan:Win32/Wacatac.B!ml Then, I selected to quarantine it. I think it failed:

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.

That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.

Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.

We only rely on the end result that is on the log-report-file.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Thank you for your message. Before your message, I clicked remove action and the windows defender removed the file in my downloads that has the trojan. I checked the file in downloads, and it was disappeared. Then, I started full scan again. I am sorry, I didn't know that I shouldn't start any other scans. Should I continue the process you tell me? I think I have to because I have doubts.

Please do the following actions, so that Microsoft Defender antivirus runs side-by-side along with Malwarebytes.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center".

We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks.

IF that line-selection is greyed-out unavailable, do not fret. Just skip over that.

After you told me, I looked at the protection history again and the wacatac is not there. Only nvcontainer.exe thing which is related to the Nvidia that appears there. What does it mean? Is the system clear or that was a false positive? I am asking about false positive because, I searched on the internet and there also was that it can be a false positive due the the b!ml - machine learning which leads to high probability of being false positive. But I think it is fixed now, because when it found, I told it to quarantine. And it couldn't quarantine the trojan at all. It worked with 20% of CPU for about almost 1 hour or maybe a little more than an hour and it said incomplete. After that I panicked and again clicked it just to remove it. Clicked the actions > remove instead of quarantine this time. It worked again with about 20% of CPU. Then, I again started a full scan before your warnings, because I didn't know I didn't have to start any scans, and windows defender didn't find something at all. But the trojan warning was still there. When I checked the file it shows, it was deleted from downloads. Now, how do you think? Is the system clear or that was a false positive?

I am going to full scan again with windows defender to see what is going to be found. Let me know any suggestions. I am also considering to upload every personal data and important stuff to cloud, (like google, dropbox and etc.) and then format the computer and not deleting windows or also deleting windows and making everything from zero. Would you suggest that to me?

Thank you very much again.

Btw, there is also one problem not related to security. Before everything, every process you told me, I did a system restore when I found out the trojan. Because, the language of windows spotlight in the lock-screen was changed itself. The language of the words on the lock-screen wallpaper. I searched on the internet and it was the cause of last update of windows. And the solution was to do a system restore. After the system restore, I couldn't open chrome. Again, I searched on the internet and there were some problems had the same problem. The solution was to reinstall chrome. I uninstalled from apps in control panel and tried to reinstall it through chromesetup.exe. But, when I double click to run it, "On your marks" window opens with blue-color scroll and closes after 2-3 seconds itself. After a while, I tried to open discord, same thing happened. Do you have any idea how to solve it?

The preceding custom FIX run is successful. A status readout on MS Defender antivirus shows it is in good and fine shape. All Defender protections are ON, it is up-to-date, and there are no outstanding threats.

I am making a pure guess, for Chrome, you will need to get rid of the pre-existing Chrome setup, and do a new from scratch install ---but that is if you still want to have Chrome....which is a very difficult browser to fix. You would be better off just switching to a new different web browser like BRAVE

Also you have the LiveGrid Feedback system disabled. I would recommend enabling it so that in case you encounter a new undetected malware or if there's a problem cleaning malware that is only partially detected (e.g. only on execution by Advanced memory scanner), the malware is submitted and a smart detection by all scanners is added.

Moreover, I would recommend considering upgrading your license to ESET Internet Security or ESET Smart Security Premium (also contains Disk Encryption and Password manager). Only these two can protect you also from bruteforce attacks (RDP, SMB, SQL,...) which is a common infection vector nowadays. A common scenario of attacks is as follows: Attackers bruteforce the password, connect remotely, disable antivirus, run ransomware and then extort money from the victim. Network attack protection also protects the machine from exploiting vulnerabilities in network protocols if the system is not patched.

Add to this OpenCandy is adware: -win32-opencandy/ . Per this Sophos detailed analysis of it; -us/threat-center/threat-analyses/adware-and-puas/OpenCandy/detailed-analysis.aspx, I would say it might be creating a virtual CDrom drive and running from that at boot time. If this is the case, what Eset online scanner is detecting is OpenCandy on the virtual CDrom; not in the MBR for the boot drive.

To verify this assumption, open Win Explorer and determine if a CD/DVD drive is shown that is not physically installed on your PC. Note that this virtual drive may be hidden. Therefore once Win Explorer is opened, change its Options settings to show hidden files, folders, and drives per the below screen shot:

In Win 10, burn a .iso file to a CD/DVD disk. Win 10 will create a virtual drive to do this. At the end of the burn cycle, Win 10 will eject the disk. You believe the virtual drive is dismounted. Wrong! The virtual drive is loaded at each system boot. Worse, all the files it previously created are present on that virtual drive. The only way to get rid of the virtual drive is using device manager to uninstall the device.

OpenCandy as I understand it does the above but instead of creating the files on CD/DVD media, only creates the files on the virtual drive. One reason why OpenCandy is considered by most AV solutions as malware.

2. Determine if OpenCandy is installed. If so, uninstall it. OpenCandy is known to exist in installers from a number of software downloads. Some are listed here: ; notably, uTorrent. If you downloaded and installed something recently from one of the third party download sites, that most likely was the source.

3. Now run an Eset on-demand scan Note: It appears the ver. of OpenCandy installed on your device is the rootkit one. Eset can only remove rootkits in Win Safe mode. If the Eset desktop toolbar icon is missing in Safe mode, you can access the Eset GUI via the Win 10 Start menu.

You have to run Eset from the command line interface in Safe mode. How to accomplish this is detailed here: -run-a-scan-in-safe-mode-and-submit-a-scan-log-for-analysis . I recommend saving the .bat file on your desktop.

3a8082e126