Help with Wacatac.B!ml on Server 2016 Standard

Let's see how we do. I am now not as confident Post #21 will work. If not, I have another process that will. We would boot into a Linux environment to completely bypass Windows then access and remove the offending entries.

Hi Gary,

Thanks for the update.

I will go into work now and try to hammer this out...  

So that was much easier than I expected as well

I hope this is good news...

Thank you sir.

*****************************************************************

 

Hi Mark.

The Windows Defender file was removed but the C:\Windows\Temp folder was not. I was concerned this might happen.

I am not real familiar with Server 2016 and you may find Ubuntu is prohibited from booting because of BIOS (Secure boot) type settings. Just a heads up regarding a possible hiccup. Please attempt this.

===================================================

Deleting File/Folder Running Ubuntu From a USB Device

--------------

Note: This is an older version of Ubuntu which I have tested and is sufficient for our purposes.

• You will need a USB device with at least 2 GB of space
• If necessary insert your USB drive into a clean computer. Caution: The next step will remove all information from your USB device.
• Press Start, My Computer, right click your USB drive, click Format, then select Quick format
• Download Ubuntu Live Ubuntu 12.04.4. This is a large file so allow it some time to download
• Download UNetbootin and save it to your Desktop as well
• Double click the UNetbootin icon, select Run, then I Agree
• Select the Diskimage Option then click the Browse Button located on the right side of the textbox field.
• Browse to and double click the Ubuntu 12.04.4 file you downloaded
• Verify the correct drive letter is selected for your USB device then click OK
• It will install a little bootable OS on your USB device
• Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
• With the USB device inserted into the infected computer restart your computer
• If your computer does not automatically boot from the USB device please see here
• Select Try Ubuntu without installing
• Click the Home Folder (3rd one from the top)
• Under Devices you will see a System entry along with one or more additional entries indicating a GB size, i.e. 250GB)
• Click on a GB entry until you see the Windows folder on the right side
• By means of double clicking folders, individually navigate to the following location:

C:\Windows\Temp

• Right click on the entry and select Move to Trash
• In the upper right hand corner of your screen select the icon just to the right of the time
• Click Shut down... then click Shut down... again in the pop up window
• Reboot your computer into Windows
• Click the Windows key + E at the same time
• Navigate to the listed location and confirm the entry has been removed
• Post back with the results

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Results?

Good morning sir,

Like usual this may take a while to accomplish. 

 

I want to be clear, the end game is to delete the entire Windows Temp "Folder", not the contents? 

 

Thank you!

No problem on the delay, I understand the availability issue.

 

Yes sir, delete the entire folder and it should be automatically recreated upon reboot.

Good morning,

I finally completed the task and the temp folder seemed to be successfully deleted.

There is now a Windows\Temp folder that was created after reboot.

 

Is that what you expected my friend?

 

Thank you!!!!

Welcome back sir.

Yes, that is exactly what I expected. Run a Windows Defender scan and see how we do.

Greetings,

===================================================

Do You Still Need Help?

It has been 3 days since my last post.

• Do you still need help with this?
• If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed.

Are you with me Mark?

Hi Gary,

I'm so sorry, I've been swamped I missed your last 3 messages. 

I followed your last instruction and so far there have not been any more Virus found messages from Defender.

 

I think your suggestion did the trick my friend...

 

Thank you so very much for your help and your patience!!!!

You are quite welcome Mark.

It sounds like we are all set unless you have any other issues or questions.

Hi Mark.

I know you are quite busy, and it seems like we are all set, so......

Here is our final step and some additional information to consider.

===================================================

KpRm by Kernel-panik

--------------

• Download KpRm and save it to your Desktop (see here if you must use Chrome)
• Note: If the file is detected as malware it is not and it is safe to download. The detection is a false positive.
• Right click on the icon and select Run as administrator
• Click Yes on the Disclaimer
• Place a check mark in Delete Tools, Create Restore Point, and Delete in 7 days
• Click Run
• Click OK on All operations are completed
• KpRm will delete itself from you Desktop and you can either save or remove the report that is generated
• You are free to remove any other tools/reports still remaining

===================================================

All Clean!

--------------

Your computer is now clean. Please consider this going forward.

===================================================

Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean.

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know about how to keep your computer secure and clean. Please take the time to read: Simple and easy ways to keep your computer safe and secure on the Internet.

In addition, here are some more links you might find of interest:

• Have you Been Hacked? 10 Indicators That Say Yes
• So How did I get infected?
• Pirated Software is All Fun and Games Until Your Data is Stolen
• Do You Need Anti-Ransomware Software for Your PC?
• Why You Should Update All Your Software
• How Safe Are Password Managers?
• Whats the Best Way to Back Up My Computer?
• Why Is My Internet So Slow?

Thank you for placing your trust in BleepingComputer. It was a pleasure serving you.

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

This topic has been re-opened at the request of the person who originally posted.