Page 1 of 2 12 LastLast
  1.    27 Jul 2017 #1
    Join Date : Jul 2015
    Posts : 870
    Windows 10 Home x64

    WD says I have a trojan at every boot


    Hello.

    Windows Defender says I have a trojan on every boot buy when I check WD Security Center there is nothing there.

    I haven't noticed anything weird but the message is getting on my nerves.

    Ran AdwCleaner and it came up clean.

    This is the report and suspected file via Powershell:

    CategoryID : 8
    DidThreatExecute : False
    IsActive : False
    Resources : {file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\CRDA093Q\deploy[1].xml,
    file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\R5XBHIFN\deploy[1].xml,
    file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\XYO5Y5ZK\deploy[1].xml}
    RollupStatus : 33
    SchemaVersion : 1.0.0.0
    SeverityID : 5
    ThreatID : 2147722737
    ThreatName : Trojan:JS/Runsas
    TypeID : 0
    PSComputerName :


    ActionSuccess : True
    AdditionalActionsBitMask : 0
    AMProductVersion : 4.11.15063.447
    CleaningActionID : 2
    CurrentThreatExecutionStatusID : 1
    DetectionID : {296FDAD3-8D05-4216-BD74-D3E87F3DB9C5}
    DetectionSourceTypeID : 3
    DomainUser : LABUSQUEDA\LaBusqueda
    InitialDetectionTime : 26/07/2017 9:34:25
    LastThreatStatusChangeTime : 26/07/2017 9:34:58
    ProcessName : C:\Windows\System32\regsvr32.exe
    RemediationTime : 26/07/2017 9:34:58
    Resources : {file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\R5XBHIFN\deploy[1].xml}
    ThreatID : 2147722737
    ThreatStatusErrorCode : 0
    ThreatStatusID : 3
    PSComputerName :

    That file isn't present because I emptied all my browsers caches.

    Any ideas on how to proceed?

    TIA
      My ComputerSystem Spec
  2.    27 Jul 2017 #2

    Can you try running the Eset Online Scanner.
      My ComputersSystem Spec
  3.    27 Jul 2017 #3
    Join Date : Jul 2015
    Posts : 870
    Windows 10 Home x64
    Thread Starter

    Yes. I have already thought about running an AV program offline but I cannot right now. It's a work PC.

    I will check it later. I may run WD offline too to have a second opinion.

    Thank you very much.
      My ComputerSystem Spec
  4.    27 Jul 2017 #4

    This is the opposite, its their online scanner, you don't have to install the full program, just enough to get a scan going.

    An offline scan wouldn't hurt either
      My ComputersSystem Spec
  5.    27 Jul 2017 #5
    Join Date : Jul 2015
    Posts : 3,755
    10 Pro

    Sign onto another account and delete the C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache folder.

    It will be regenerated next time you log on.
      My ComputerSystem Spec
  6.    27 Jul 2017 #6
    Join Date : Oct 2014
    Trnava
    Posts : 2,869
    Windows 10.4 Home 1709 x64

    It might be a fileless malware. Check startup entries, particularly scheduled tasks.

    Autoruns for Windows - Windows Sysinternals | Microsoft Docs
      My ComputerSystem Spec
  7.    27 Jul 2017 #7
    Join Date : Jul 2017
    Ninjago
    Posts : 5
    Windows 10 creator edition

    Try an offline scan, open WD security center, click advanced on the scan section, select offline scan and click scan then click scan and follow the on-screen instructions
      My ComputerSystem Spec
  8.    27 Jul 2017 #8
    Join Date : Apr 2015
    Posts : 12,841
    W10Prox64

    Maybe try SuperAntiSpyware Free?
    RUNSAS.EXE - Trojan.Agent/Gen-Renamer | SUPERAntiSpyware

    Honestly never heard of this one, but worth a try.

    It could also be a FP, because that is the file name of SuperAntiSpyware's Alternate Start Tool
      My ComputerSystem Spec
  9.    28 Jul 2017 #9
    Join Date : Jul 2015
    Posts : 870
    Windows 10 Home x64
    Thread Starter

    In the end I restored a Macrium Reflect backup copy. Now I have to investigate where and how I caught that. I have made some changes to WD to strengthen security (enable pua dectection) and I have installed MBAE (which wasn't installed).
      My ComputerSystem Spec
  10.    28 Jul 2017 #10

    Quote Originally Posted by simrick View Post
    Maybe try SuperAntiSpyware Free?
    RUNSAS.EXE - Trojan.Agent/Gen-Renamer | SUPERAntiSpyware

    Honestly never heard of this one, but worth a try.

    It could also be a FP, because that is the file name of SuperAntiSpyware's Alternate Start Tool
    Surprised you've never heard of SAS, its pretty well known on these forums. Its mostly used for scanning for malicious cookies which it does very well.
      My ComputersSystem Spec

 
Page 1 of 2 12 LastLast


Similar Threads
Thread Forum
Solved Trojan, Trojan.Generic?
Hi! Today i might have got a trojan. I did indeed install a program that redirected me to a site where i think the website downloaded unwanted malware to my PC. The malware that has got control over my PC has completely blacked out my access to...
AntiVirus, Firewalls and System Security
Is there a trojan csrss.exe? If so how do I eliminate it.
Hi, Please bear with me for a minute. I am helping my roommate with issues installing a printer to her notebook. It has been installed and running in the past. I searched for an answer, and I ended up in what I thought I was a chat session...
AntiVirus, Firewalls and System Security
Solved Trojan or not ?
Hi all, Not quite sure when this started but roughly somewhere around July I noticed a file called NTUSER.rhk that resides in "Users\My username". Googling for the .rhk file extension gave me a bit of a scare as most sites suggest this is...
AntiVirus, Firewalls and System Security
Solved Do I Have A Trojan?
Hello, First post here :) Lately my Windows Defender is finding a Trojan in the Recovery D (Trojan:Win32/Dynamer!ac) It only shows up after a full 3 hour search and not in the fast search A full search with Malwarebytes, Adware and Hitman...
AntiVirus, Firewalls and System Security
Trojan in My Registry
I have an older 15 inch HP with W10 that I recently updated. I have always had McAfee on the computer, it has never lapsed. I have also run Spybot, Malwarebytes, Google Ghostery and ABP Adblock Popup. When I recently bought a new printer...
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 21:11.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums