WD says I have a trojan at every boot

Page 1 of 2 12 LastLast

  1. Posts : 2,935
    Windows 10 Home x64
       #1

    WD says I have a trojan at every boot


    Hello.

    Windows Defender says I have a trojan on every boot buy when I check WD Security Center there is nothing there.

    I haven't noticed anything weird but the message is getting on my nerves.

    Ran AdwCleaner and it came up clean.

    This is the report and suspected file via Powershell:

    CategoryID : 8
    DidThreatExecute : False
    IsActive : False
    Resources : {file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\CRDA093Q\deploy[1].xml,
    file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\R5XBHIFN\deploy[1].xml,
    file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\XYO5Y5ZK\deploy[1].xml}
    RollupStatus : 33
    SchemaVersion : 1.0.0.0
    SeverityID : 5
    ThreatID : 2147722737
    ThreatName : Trojan:JS/Runsas
    TypeID : 0
    PSComputerName :


    ActionSuccess : True
    AdditionalActionsBitMask : 0
    AMProductVersion : 4.11.15063.447
    CleaningActionID : 2
    CurrentThreatExecutionStatusID : 1
    DetectionID : {296FDAD3-8D05-4216-BD74-D3E87F3DB9C5}
    DetectionSourceTypeID : 3
    DomainUser : LABUSQUEDA\LaBusqueda
    InitialDetectionTime : 26/07/2017 9:34:25
    LastThreatStatusChangeTime : 26/07/2017 9:34:58
    ProcessName : C:\Windows\System32\regsvr32.exe
    RemediationTime : 26/07/2017 9:34:58
    Resources : {file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\R5XBHIFN\deploy[1].xml}
    ThreatID : 2147722737
    ThreatStatusErrorCode : 0
    ThreatStatusID : 3
    PSComputerName :

    That file isn't present because I emptied all my browsers caches.

    Any ideas on how to proceed?

    TIA
      My Computer


  2. Posts : 7,254
    Windows 10 Pro 64-bit
       #2

    Can you try running the Eset Online Scanner.
      My Computers


  3. Posts : 2,935
    Windows 10 Home x64
    Thread Starter
       #3

    Yes. I have already thought about running an AV program offline but I cannot right now. It's a work PC.

    I will check it later. I may run WD offline too to have a second opinion.

    Thank you very much.
      My Computer


  4. Posts : 7,254
    Windows 10 Pro 64-bit
       #4

    This is the opposite, its their online scanner, you don't have to install the full program, just enough to get a scan going.

    An offline scan wouldn't hurt either
      My Computers


  5. Posts : 5,478
    2004
       #5

    Sign onto another account and delete the C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache folder.

    It will be regenerated next time you log on.
      My Computer


  6. Posts : 5,492
    Windows 11 Home
       #6

    It might be a fileless malware. Check startup entries, particularly scheduled tasks.

    Autoruns for Windows - Windows Sysinternals | Microsoft Docs
      My Computer


  7. Posts : 5
    Windows 10 creator edition
       #7

    Try an offline scan, open WD security center, click advanced on the scan section, select offline scan and click scan then click scan and follow the on-screen instructions
      My Computer


  8. Posts : 16,325
    W10Prox64
       #8

    Maybe try SuperAntiSpyware Free?
    RUNSAS.EXE - Trojan.Agent/Gen-Renamer | SUPERAntiSpyware

    Honestly never heard of this one, but worth a try.

    It could also be a FP, because that is the file name of SuperAntiSpyware's Alternate Start Tool
      My Computer


  9. Posts : 2,935
    Windows 10 Home x64
    Thread Starter
       #9

    In the end I restored a Macrium Reflect backup copy. Now I have to investigate where and how I caught that. I have made some changes to WD to strengthen security (enable pua dectection) and I have installed MBAE (which wasn't installed).
      My Computer


  10. Posts : 7,254
    Windows 10 Pro 64-bit
       #10

    simrick said:
    Maybe try SuperAntiSpyware Free?
    RUNSAS.EXE - Trojan.Agent/Gen-Renamer | SUPERAntiSpyware

    Honestly never heard of this one, but worth a try.

    It could also be a FP, because that is the file name of SuperAntiSpyware's Alternate Start Tool
    Surprised you've never heard of SAS, its pretty well known on these forums. Its mostly used for scanning for malicious cookies which it does very well.
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:09.
Find Us




Windows 10 Forums