Hello Gary,
I will do this as soon as the daily production is done, and post the results ASAP...
Thank you sir!
Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
Help with Wacatac.B!ml on Server 2016 Standard
Started by
mlonabaugh
, Aug 28 2023 08:24 PM
44 replies to this topic
#16
mlonabaugh
- Topic Starter
-
- Members
- 188 posts
- OFFLINE
- Gender:Male
- Local time:09:24 PM
Back to top
#17
Oh My!
-
- Malware Response Instructor
- 55,541 posts
- OFFLINE
Adware and Spyware and Malware
- Gender:Male
- Location:California
- Local time:06:24 PM
Posted 30 August 2023 - 04:07 PM
No problem.
It is common for a detection to get hung up in historical data causing the same entry to be shown as detected when in fact it no longer exists. Resolving it can be tricky because sometimes the file needing to be removed wants to be stubborn while other times it is easily removed. Hopefully temporarily disabling Defender will give us a clean shot at it to see if that is the issue.
It is common for a detection to get hung up in historical data causing the same entry to be shown as detected when in fact it no longer exists. Resolving it can be tricky because sometimes the file needing to be removed wants to be stubborn while other times it is easily removed. Hopefully temporarily disabling Defender will give us a clean shot at it to see if that is the issue.
Gary
“Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.”
Where to Start
#18
mlonabaugh
- Topic Starter
-
- Members
- 188 posts
- OFFLINE
- Gender:Male
- Local time:09:24 PM
Posted 30 August 2023 - 05:43 PM
Thanks for the info.
I have completed the task and patiently await the next steps 
Fix result of Farbar Recovery Scan Tool (x64) Version: 28-08-2023
Ran by SPAdmin (30-08-2023 18:11:05) Run:23
Running from C:\Users\SPAdmin\Desktop
Loaded Profiles: mlonabaugh & Administrator & mlonabaugh & SPAdmin & SPService & amandabackup & NTRSupport1 & NTRSupport2 & NTRSupport3 & NTRSupport4 & printing & Administrator & MSSQLFDLauncher & MSSQL$ADK & Classic .NET AppPool & Microsoft Dynamics NAV 2017 Web Client Application Pool
Boot Mode: Normal
==============================================
fixlist content:
*****************
Start::
CloseProcesses:
Powershell: Set-MpPreference -EnableControlledFolderAccess Disabled
Powershell: Set-MpPreference -DisableRealtimeMonitoring $true
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\*.*
C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db
Powershell: Set-MpPreference -EnableControlledFolderAccess Enabled
Powershell: Set-MpPreference -DisableRealtimeMonitoring $false
End::
*****************
Processes closed successfully.
========= Set-MpPreference -EnableControlledFolderAccess Disabled =========
========= End of Powershell: =========
========= Set-MpPreference -DisableRealtimeMonitoring $true =========
========= End of Powershell: =========
=========== "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\*.*" ==========
Could not move "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log" => Scheduled to move on reboot.
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Unknown.Log => moved successfully
========= End -> "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\*.*" ========
Could not move "C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db" => Scheduled to move on reboot.
========= Set-MpPreference -EnableControlledFolderAccess Enabled =========
========= End of Powershell: =========
========= Set-MpPreference -DisableRealtimeMonitoring $false =========
========= End of Powershell: =========
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 30-08-2023 18:27:45)
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log => Is moved successfully
C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db => Could not move
==== End of Fixlog 18:27:51 ====
#19
Oh My!
-
- Malware Response Instructor
- 55,541 posts
- OFFLINE
Adware and Spyware and Malware
- Gender:Male
- Location:California
- Local time:06:24 PM
Posted 30 August 2023 - 05:46 PM
Can you manually check to see if this file is present?
C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db (=> Could not move)
Gary
“Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.”
Where to Start
#20
mlonabaugh
- Topic Starter
-
- Members
- 188 posts
- OFFLINE
- Gender:Male
- Local time:09:24 PM
Posted 30 August 2023 - 06:50 PM
Hello sir,
The file is present...
Update:
Hello Gary,
After reboot the virus was found again.
I tried not to reboot but the server was running very poorly...
I am heeding to bed.
Have a great evening and I will talk to you tomorrow...
Thanks again!!!!
Attached Files
-
2023-08-30_20-52-50.pdf 100.7KB
2 downloads
Edited by mlonabaugh, 30 August 2023 - 08:01 PM.
#21
Oh My!
-
- Malware Response Instructor
- 55,541 posts
- OFFLINE
Adware and Spyware and Malware
- Gender:Male
- Location:California
- Local time:06:24 PM
Posted 31 August 2023 - 08:49 AM
Thank you for your continued patience.
Please do this. I can't test the step on a Server so you may need to be a bit flexible.
===================================================
Farbar Recovery Scan Tool Fix From Installed Recovery Partition
--------------------
Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
Please do this. I can't test the step on a Server so you may need to be a bit flexible.
===================================================
Farbar Recovery Scan Tool Fix From Installed Recovery Partition
--------------------
- If necessary, download Farbar Recover Scan Tool for 64 bit systems and save it to a USB device
- Download
fixlist.txt 78bytes
8 downloads and save it in the same USB device - Insert the USB device into your compromised computer
- Holding down the Shift Key click Start, click the power icon, then select Reboot
- Click Troubleshoot
- Click Advanced options
- Click Command Prompt
- Choose an account to continue
- If necessary, enter the password then hit Continue
- You should be presented with a black command prompt screen
- In the command window type in Notepad and press Enter.
- Under File menu select Open
- Select This PC and double click on your USB drive letter
- Next to Files of type: select All Files
- Right click on the FRST icon and select Run as administrator
- Click Yes to disclaimer that may appear
- Press Fix button
- Reboot your computer
- A fixlog.txt file will be saved on the USB drive. Please copy and paste it to your reply.
- Check for detections
Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
- Fixlog
- Detection?
Gary
“Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.”
Where to Start
#22
mlonabaugh
- Topic Starter
-
- Members
- 188 posts
- OFFLINE
- Gender:Male
- Local time:09:24 PM
Posted 31 August 2023 - 10:31 AM
Hi Gary,
Thanks for the info.
This task will take a while to complete, probably over the weekend while no one is working (But me)
I will get it done ASAP....
Thanks for everything sir!
#23
Oh My!
-
- Malware Response Instructor
- 55,541 posts
- OFFLINE
Adware and Spyware and Malware
- Gender:Male
- Location:California
- Local time:06:24 PM
Posted 31 August 2023 - 06:24 PM
Hi Mark.
I have tested the below on my computer and it worked. Please run this before running the Recovery Environment steps.
===================================================
BlitzBlank
--------------------
Farbar Recovery Scan Tool Fix
--------------------
Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
I have tested the below on my computer and it worked. Please run this before running the Recovery Environment steps.
===================================================
BlitzBlank
--------------------
- Right click on BlitzBlank, select Save as..., and save it to your Desktop
- Right click on BlitzBlank.exe and select Run as administrator
- Click OK on the warning screen
- Select the Script tab
- Copy and paste the following into the Script box:
DeleteFile: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db DeleteFolder: C:\Windows\Temp
- Close all open programs except for BlitzBlank
- Click the Execute Now button
- Click OK twice
- Your computer will automatically reboot
- Following reboot complete the next step
Farbar Recovery Scan Tool Fix
--------------------
- Right click on the FRST64 icon and select Run as administrator
- Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
- There is no need to paste the information anywhere, FRST64 will do it for you
Start:: cmd: type blitzblank.log File: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db Folder: C:\Windows\Temp End::
- Click Fix
- When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
- Fixlog
Gary
“Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.”
Where to Start
#24
mlonabaugh
- Topic Starter
-
- Members
- 188 posts
- OFFLINE
- Gender:Male
- Local time:09:24 PM
Posted 01 September 2023 - 08:08 AM
Good morning Gary,
Thank you for the updated info.
I will perform this task ASAP...
Everything is running smooth at the moment, and I do not want to make any waves until the weekly production is through...
I know you understand the rational behind that train of thought.
Like always, your assistance is deeply appreciated.
I hope you have a great holiday weekend my friend...
#25
Oh My!
-
- Malware Response Instructor
- 55,541 posts
- OFFLINE
Adware and Spyware and Malware
- Gender:Male
- Location:California
- Local time:06:24 PM
Posted 01 September 2023 - 09:02 AM
Thanks Mark, I understand and no rush on my side.
My suspicion is this is a false positive but until we can remove that file we won't know for sure.
My suspicion is this is a false positive but until we can remove that file we won't know for sure.
Gary
“Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.”
Where to Start
#26
mlonabaugh
- Topic Starter
-
- Members
- 188 posts
- OFFLINE
- Gender:Male
- Local time:09:24 PM
Posted 03 September 2023 - 10:11 AM
I hope you are enjoying the long weekend sir...
This was much easier, and less time consuming than I expected and I have completed the task.
Obviously there is no rush on my end for you to respond to this message.
I will let you know if the virus is detected again...
Thank you!!!!
********************************************************************************
Fix result of Farbar Recovery Scan Tool (x64) Version: 28-08-2023
Ran by SPAdmin (03-09-2023 11:02:57) Run:24
Running from C:\Users\SPAdmin\Desktop
Loaded Profiles: SPAdmin & MSSQLFDLauncher & MSSQL$ADK & Microsoft Dynamics NAV 2017 Web Client Application Pool
Boot Mode: Normal
==============================================
fixlist content:
*****************
Start::
cmd: type blitzblank.log
File: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db
Folder: C:\Windows\Temp
End::
*****************
========= type blitzblank.log =========
The system cannot find the file specified.
========= End of CMD: =========
========================= File: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db ========================
C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db
Catalog: Error1: CreateFileW function failed
File not signed
MD5: C4FC9D2269483C846211ADD3A8C2750D
Creation and modification date: 2023-08-30 18:26 - 2023-09-03 10:54
Size: 000811008
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:
VirusTotal: 0
====== End of File: ======
========================= Folder: C:\Windows\Temp ========================
2023-09-03 10:22 - 2023-09-03 10:22 - 000028672 __AHT [733ED267A563285CF46C7652670E93C9] () C:\Windows\Temp\etilqs_ldqAoNiB8gB7pRW
2023-09-03 10:23 - 2023-09-03 10:23 - 000028672 __AHT [733ED267A563285CF46C7652670E93C9] () C:\Windows\Temp\etilqs_XDzPnCzeNtLGqXE
2023-08-30 07:22 - 2023-08-30 07:22 - 000001074 ____A [00000000000000000000000000000000] (Access Denied) C:\Windows\Temp\MpCmdRun.log
2023-08-30 07:32 - 2023-09-03 10:49 - 000121902 ____A [F6E7ED1BF5B15EF442191075698376E4] () C:\Windows\Temp\MpSigStub.log
2023-09-01 17:09 - 2023-09-01 17:09 - 000001240 ____A [FF3898B7373805AC8D9FE9B49E1FABD0] () C:\Windows\Temp\Scheduler_LastScan.txt
2023-08-30 07:15 - 2023-08-30 07:15 - 000000102 ____A [00000000000000000000000000000000] (Access Denied) C:\Windows\Temp\silconfig.log
2023-08-30 07:18 - 2023-08-30 07:18 - 000000000 ____D [00000000000000000000000000000000] C:\Windows\Temp\_avast_
2023-08-30 07:16 - 2023-08-30 07:17 - 000000000 ____D [00000000000000000000000000000000] C:\Windows\Temp\LogMeInDumps
2023-08-30 07:14 - 2023-08-30 07:14 - 000000000 ____D [00000000000000000000000000000000] C:\Windows\Temp\LogMeInLogs
2023-09-03 10:46 - 2023-09-03 10:46 - 000000000 ____D [00000000000000000000000000000000] C:\Windows\Temp\tmp0000032f
2023-09-03 10:46 - 2023-09-03 10:46 - 000000000 ____A [D41D8CD98F00B204E9800998ECF8427E] () C:\Windows\Temp\tmp0000032f\tmp00000000
====== End of Folder: ======
==== End of Fixlog 11:03:00 ====
#27
Oh My!
-
- Malware Response Instructor
- 55,541 posts
- OFFLINE
Adware and Spyware and Malware
- Gender:Male
- Location:California
- Local time:06:24 PM
Posted 03 September 2023 - 12:50 PM
That output does not look right. Could you please run this for me?
===================================================
Farbar Recovery Scan Tool Search
--------------------
Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
===================================================
Farbar Recovery Scan Tool Search
--------------------
- Launch FRST
- Type the following in the Search: box
blitzblank
- Click Search Files button
- When completed click OK and a Search.txt document will open on your desktop
- Copy and paste the contents of that document your reply
Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
- Search.txt
Gary
“Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.”
Where to Start
#28
mlonabaugh
- Topic Starter
-
- Members
- 188 posts
- OFFLINE
- Gender:Male
- Local time:09:24 PM
Posted 03 September 2023 - 07:05 PM
Hello sir,
Sorry for the delay, but that took forever to finish.
I hope this was what you were expecting to see my friend...
Thanks!
*********************************************************************
Farbar Recovery Scan Tool (x64) Version: 28-08-2023
Ran by SPAdmin (03-09-2023 15:23:50)
Running from C:\Users\SPAdmin\Desktop
Boot Mode: Normal
================== Search Files: "blitzblank" =============
====== End of Search ======
#29
Oh My!
-
- Malware Response Instructor
- 55,541 posts
- OFFLINE
Adware and Spyware and Malware
- Gender:Male
- Location:California
- Local time:06:24 PM
Posted 03 September 2023 - 07:36 PM
It is what I expected to see but it is not good news. We need to go back to Post #21 and try it the more difficult way.
Gary
“Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.”
Where to Start
#30
mlonabaugh
- Topic Starter
-
- Members
- 188 posts
- OFFLINE
- Gender:Male
- Local time:09:24 PM
Posted 03 September 2023 - 08:25 PM
Hi Gary,
I was hoping you wouldn't say that
I will do the task as soon as possible my friend.
Thank you!!!!
2 user(s) are reading this topic
0 members, 2 guests, 0 anonymous users
