unknown.log appearing in Windows Defender Service folder

mitrajoon · 23 Sep 2020

I've had another thread about trying to get rid of the wacatac trojan which Windows Defender keeps reporting and blocking:

Virus Trojan:32/Wacatac.DC!ml not completely remediated on Windows PC

Once everything is clean, I shut down my PC (after running adaware, ccleaner, emissoft and WD) plus ensuring that the WD Service History folder was empty (someone suggested that this was a false positive coming from logs in that file).

However, when I restart my computer a file called unknown.log shows up in the WD Service folder. Can anyone shed light on this file? Could this have any bearing on the wacatac trojan? Note, no other antivirus program (I've tried several) has ever found a problem except for WD.

I checked the content of the last unknown.log. It was:
1446361181
2613142394
2500079355
3222978219

Again, the time on this was exactly the time I shut down my computer.

I am running the latest version of W10.

Macboatmaster · 23 Sep 2020

IMHO you really need a malware expert and I am not one by any means
However until you find one replying to your topic, my advice is not to run CCleaner as part of the procedure to try and eliminate the recurring found threat.
I appeciate there are many people who swear by CCleaner and its capabilities. It certainly has its place, but in my experience, even although what was Piriform and has for sometime been part of the AVAST group, has made some changes to CCleaner to make it more compatible with 10, it still remains in default mode - unsuitable for use on a general basis.

Certainly at one time it was deleting files that made Defender think that each scan was the first scan.

As I said you really need an expert in malware issues, not to mean that you definitely have malware, but to run the scans that the specilaists have available to them.

That said you mention a number of time the fact that you have deleted the history in WD service hisotry folder, but I am still unsure as to which you have deleted.

I suggest that you stop CCleaner running or even better uninstall it.

I then suggest that you verify that this
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service.

In the "Service" folder, find and delete "Detection History".
REMEMBER to empty the RECYCLE BIN

Is where you have been and deleted the items. To do so of course you must enable - show hidden files and folders in view option.
AFTER deleting them what is often missed is that you then need to FULLY shutdown the computer and reboot.
NOT merely the usual windows 10 hybrid shutdown.
You may do that either by restart which is a complete shutdown OR by
Step 1: Open Start menu, select Power button.

Step 2: Press and hold the Shift key on keyboard, while clicking on Shut down, and then release the Shift key to perform a full shutdown.

I then suggest that you open settings
Update and security
windows security
virus and threat protection and scan options and then do a FULL SCAN.

TO DO THIS effectively it is vital to disable all third party system maintenance tools and all third party AV programs, even if they are scan on demand only.

Then see what it finds.
Please post back with the results

Macboatmaster · 23 Sep 2020

I have just added a line to my post. It is in red coloured text

mitrajoon · 24 Sep 2020

Macboatmaster, thank you so much for your extended reply. I have actually been doing exactly what you suggested regarding deleting both the files and the recycle bin, fully shutting down and running a full scan with WD. The only thing I haven't done yet is remove CCleaner.

It occurred to me that the unknown.log may actually be generated by WD and is how it is detecting the trojan. I'm wondering if by deleting it I'm shooting myself because that deletion may be preventing WD from detecting and blocking it. I'm surprised that even an internet search turns up nothing on unknown.log that seems relevant to WD.

I'm getting to the point that I may just do a clean reinstall of W10 as painful as that is to consider. Very frustrating.

Macboatmaster · 24 Sep 2020

send a V2 collector log report please
BSOD - Posting Instructions

I may just find an entry for the the related files
Having read all of the other topic on which you posted, one may come to the conclusion that something running on tasks is producing the suspected file

I am not sure you have being doing exactly what I said, as IMHO a key element to this is to ensure that all other security apps even if they run only on demand and CCleaner are preferably uninstalled and at the very least disabled

I presume you are aware that CCleaner has some history to it.
Avast Network Breached As Hackers Target CCleaner Again | Threatpost
I did mention that it was now owned by Avast

Unless even after the deletion of the history of defender - there is still something lurking in Defender files, that it finds itself, then one may I think presume that it must be a case of the file being regenerated, especially as on one occasion you say it was all clear for

After one week of no problems wacatac has again been detected and blocked by Windows Defender.

Also on the other topic mentioned by you, on the opening post it reports
REMEDIATION INCOMPLETE
Does Defender report the same on your system under protection hisotry when it finds the file

Callender · 24 Sep 2020

Just a hunch but uninstall Ccleaner, reboot, then install Slim Build (unless you are actually using CCleaner Pro)

https://www.ccleaner.com/ccleaner/builds

Also did you manage to install WiseVector StopX ?

And if so did it notify of anything suspicious?

Callender · 24 Sep 2020

mitrajoon said:

It occurred to me that the unknown.log may actually be generated by WD and is how it is detecting the trojan. I'm wondering if by deleting it I'm shooting myself because that deletion may be preventing WD from detecting and blocking it.

mitrajoon said:

I'm surprised that even an internet search turns up nothing on unknown.log that seems relevant to WD.

See: https://social.technet.microsoft.com...nderATPPreview

Note

I don't see MPLog . . . What if I search this Windows Defender folder for the keyword "log"?
Five appear. Sort by "Date created" and take a look:

History.Log
Detections.log
MPDetection-20190903-143407.log
MPLog-20190903-143407.log
Unknown.Log

This looks like it, it contains detections. It is not in the "Offline Scanner" folder:

In addition to WiseVector StopX run Microsoft Safety Scanner as detailed here:

https://www.microsoft.com/en-us/wdsi...Id=-2147209505

https://docs.microsoft.com/en-us/win...anner-download

Scan with Defender OFFLINE as detailed here:

https://support.microsoft.com/en-us/...moving-malware

Expand the section "Malware keeps coming back"

Macboatmaster · 24 Sep 2020

May I come back to my last comment on my previous post

Also on the other topic mentioned by you, on the opening post it reports
REMEDIATION INCOMPLETE
Does Defender report the same on your system under protection history when it finds the file

The reason I have posted it again is that I see this as a VERY important question.

========================================================================

I think on an issue such as this it is vital that you work with only one person.
I will therefore leave you with Callender
I hope you get it sorted.

mitrajoon · 25 Sep 2020

Thank you both. I haven't responded in a couple of days because wacatac has not been reported. I'm pretty confident that it eventually will as the longest it's gone w/o showing has been 7 days. We'll see...

Regarding your suggestions:
Macboatmaster: I will consider the V2 collector log when the trojan reappears. The report by WD is that the threat is BLOCKED. Nothing about remediation Incomplete. I am not entirely convinced that I should delete my antivirus programs and CCleaner so I will hold off on that.

Callendar: I did load WiseVector StopX but like all the other similar programs I've tried, it detects nothing. I have run the Microsoft Safety Scanner many times and in fact keep a shortcut to it on my Desktop. Again, it has never detected anything. My Service History folder only contains history.log and unknown.log. I have been deleting these, but have decided to leave them alone for now. Previous posters have said the history log was causing WD to report the trojan over and over. The others you mention are not there. I did uninstall CCleaner and reinstalled the the slim build (never heard of it before). Looks the same to me so I'm not sure what the difference is. But it seems to work the same.

I hope you both know how much I appreciate the time you have put into this mystery.

Callender · 25 Sep 2020

Ccleaner Slim Build doesn't come bundled with toolbars or any extras:

https://www.microsoft.com/en-us/wdsi...iriformBundler

RE: WiseVector StopX. If a scan showed clean then it would most likely only detect a trojan once it activated. So you could either leave it running for the next week or so - or else uninstall it. That's your call.

Consider Defender OFFLINE scan anyway.

How to Run a Microsoft Defender Offline Scan in Windows 10

NOTE: You will be signed out of your PC and unable to use it during the scan.