Continuous popup Win32/TrojanDownloader.Waucho detects

[amityservice 0]

Dear Team

 

There Is Continuous popup Win32/TrojanDownloader.Waucho detects In  memory. even after scan with online scanner in safe mood and also with ESET SysRescue Live. problem is same . screen shot attach with this.

 

how to clean this infection.

 

kindly help us.

 

Thanks and regards.

 

Harshad Mistry

[Gonzalo Alvarez 66]

Hi @amityservice,

 

In this case You should contact Support in your country.

 

If your installed ESET can't find that malware then can be possible ESET was damaged and

can "see" properly. 

Create a ESET SysInspector report and send to support, they will find a way to help you.

 

Sorry, I'm not in a mood to play technical support today.

[itman 1,659]

Also you might want to be careful and not use your PC till this is resolved. There is a strong possibility this is ransomware connected. See this posting: hxxp://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-10 . You might want to check if your files have already been encrypted.

 

-EDIT- Also it appears to me that there is a strong possibility the malware has installed a backdoor or rootkit on your PC. As such, it will keep downloading the Trojan after Eset removes it. So you need some professional malware assistance on this on. 

Edited October 10, 2016 by itman

[itman 1,659]

Also see this posting: https://forum.eset.com/topic/9323-poweeshell-as-virus-after-update/

 

As an interim solution, you might want to create a HIPS "ask" rule to monitor the startup of powershell.exe in both the C:\Windows\System32\WindowsPowershell and C:\Windows\SysWOW64\WindowsPowershell folders. Make sure you enable "log the event" and that you select deny when the alert appears. This should point you to the malware process most likely running a powershell script.

[Marcos 5,070]

I reckon this is a fileless infection and the entire malicious code is located in the registry. Generate a SysInspector log and check the Run keys for suspicious values containing probably an encrypted script and remove it.

[amityservice 0]

Here Is SysInspector log and found some reg entry with powershell in startup. (screen shot and reg entry attach with this)

Logs.rar

[Gonzalo Alvarez 66]

Hi @amityservice,

 

This is what I found/see...

• HIPS, antistealth are ok,
• version 9.0.397.1 > upgrade available 9.0.402.x
• Windows is not update > install all security updates
  (if you worry by legal thing, use manual selection) you Need to do it!

This error shows a lot, take a look.
"Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied. This is often caused by incorrect security settings in either the writer or requestor process."

 

Just in case that is a terminal on a medical facility, is my suggestion your company (or whatever)

migrate to a ESET Endpoint Security and use ESET Remote Administrator 6.4x.

You have a lot of shared resources, if a ransomware hits you, that will be not good at all.

 

After check what I know and dig into the log, can't find anything suspicious.
As screenshot you send, is Nero. if not want it, remove it.

ESET Staff should tell you better than me if is something.

 

Please take care and do the upgrades (both) that I mention, and furthermore

make some network scan with a full upgraded/updated ESET. I remember some

infections from the past where the origin was a network terminal far away and pop-up

in other.

 

Hope others can bring more light on your problem.

[itman 1,659]

"Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied. This is often caused by incorrect security settings in either the writer or requestor process."

This is why I suspect this incident is ransomware related.  The malware will disable this service so it can delete the shadow volume copies that could be used to possibly restore the encrypted files from.

 

If I were the OP, I would be copying all my personal files to off-line storage and keep that storage device disconnected from the infected PC/network until this matter is resolved.

[Gonzalo Alvarez 66]

ESET Support reply to you?

[amityservice 0]

Thanks Gonzalo Alvarez.

 

I will Do all the things you mentioned and then reply.

 

No ,Eset support dose not reply.