WD says I have a trojan at every boot

eLPuSHeR · 27 Jul 2017

Hello.

Windows Defender says I have a trojan on every boot buy when I check WD Security Center there is nothing there.

I haven't noticed anything weird but the message is getting on my nerves.

Ran AdwCleaner and it came up clean.

This is the report and suspected file via Powershell:

CategoryID : 8
DidThreatExecute : False
IsActive : False
Resources : {file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\CRDA093Q\deploy[1].xml,
file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\R5XBHIFN\deploy[1].xml,
file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\XYO5Y5ZK\deploy[1].xml}
RollupStatus : 33
SchemaVersion : 1.0.0.0
SeverityID : 5
ThreatID : 2147722737
ThreatName : Trojan:JS/Runsas
TypeID : 0
PSComputerName :

ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.11.15063.447
CleaningActionID : 2
CurrentThreatExecutionStatusID : 1
DetectionID : {296FDAD3-8D05-4216-BD74-D3E87F3DB9C5}
DetectionSourceTypeID : 3
DomainUser : LABUSQUEDA\LaBusqueda
InitialDetectionTime : 26/07/2017 9:34:25
LastThreatStatusChangeTime : 26/07/2017 9:34:58
ProcessName : C:\Windows\System32\regsvr32.exe
RemediationTime : 26/07/2017 9:34:58
Resources : {file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\R5XBHIFN\deploy[1].xml}
ThreatID : 2147722737
ThreatStatusErrorCode : 0
ThreatStatusID : 3
PSComputerName :

That file isn't present because I emptied all my browsers caches.

Any ideas on how to proceed?

TIA

swarfega · 27 Jul 2017

Can you try running the Eset Online Scanner.

eLPuSHeR · 27 Jul 2017

Yes. I have already thought about running an AV program offline but I cannot right now. It's a work PC.

I will check it later. I may run WD offline too to have a second opinion.

Thank you very much.

swarfega · 27 Jul 2017

This is the opposite, its their online scanner, you don't have to install the full program, just enough to get a scan going.

An offline scan wouldn't hurt either

lx07 · 27 Jul 2017

Sign onto another account and delete the C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache folder.

It will be regenerated next time you log on.

TairikuOkami · 27 Jul 2017

It might be a fileless malware. Check startup entries, particularly scheduled tasks.

Autoruns for Windows - Windows Sysinternals | Microsoft Docs

TheGreenNinja9 · 27 Jul 2017

Try an offline scan, open WD security center, click advanced on the scan section, select offline scan and click scan then click scan and follow the on-screen instructions

simrick · 27 Jul 2017

Maybe try SuperAntiSpyware Free?
RUNSAS.EXE - Trojan.Agent/Gen-Renamer | SUPERAntiSpyware

Honestly never heard of this one, but worth a try.

It could also be a FP, because that is the file name of SuperAntiSpyware's Alternate Start Tool

eLPuSHeR · 28 Jul 2017

In the end I restored a Macrium Reflect backup copy. Now I have to investigate where and how I caught that. I have made some changes to WD to strengthen security (enable pua dectection) and I have installed MBAE (which wasn't installed).

swarfega · 28 Jul 2017

simrick said:

Maybe try SuperAntiSpyware Free?
RUNSAS.EXE - Trojan.Agent/Gen-Renamer | SUPERAntiSpyware

Honestly never heard of this one, but worth a try.

It could also be a FP, because that is the file name of SuperAntiSpyware's Alternate Start Tool

Surprised you've never heard of SAS, its pretty well known on these forums. Its mostly used for scanning for malicious cookies which it does very well.