Jump to content

Continuous popup Win32/TrojanDownloader.Waucho detects


Recommended Posts

  • ESET Insiders

Dear Team

 

There Is Continuous popup Win32/TrojanDownloader.Waucho detects In  memory. even after scan with online scanner in safe mood and also with ESET SysRescue Live. problem is same . screen shot attach with this.

 

how to clean this infection.

 

kindly help us.

 

Thanks and regards.

 

Harshad Mistry

post-8968-0-43891000-1476104641_thumb.jpg

Link to comment
Share on other sites

  • ESET Staff

Hi @amityservice,

 

In this case You should contact Support in your country.

 

If your installed ESET can't find that malware then can be possible ESET was damaged and

can "see" properly. 

Create a ESET SysInspector report and send to support, they will find a way to help you.

 

Sorry, I'm not in a mood to play technical support today.

Link to comment
Share on other sites

Also you might want to be careful and not use your PC till this is resolved. There is a strong possibility this is ransomware connected. See this posting: hxxp://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-10 . You might want to check if your files have already been encrypted.

 

-EDIT- Also it appears to me that there is a strong possibility the malware has installed a backdoor or rootkit on your PC. As such, it will keep downloading the Trojan after Eset removes it. So you need some professional malware assistance on this on. 

Edited by itman
Link to comment
Share on other sites

Also see this posting: https://forum.eset.com/topic/9323-poweeshell-as-virus-after-update/

 

As an interim solution, you might want to create a HIPS "ask" rule to monitor the startup of powershell.exe in both the C:\Windows\System32\WindowsPowershell and C:\Windows\SysWOW64\WindowsPowershell folders. Make sure you enable "log the event" and that you select deny when the alert appears. This should point you to the malware process most likely running a powershell script.

Link to comment
Share on other sites

  • Administrators

I reckon this is a fileless infection and the entire malicious code is located in the registry. Generate a SysInspector log and check the Run keys for suspicious values containing probably an encrypted script and remove it.

Link to comment
Share on other sites

  • ESET Staff

Hi @amityservice,

 

This is what I found/see...

  • HIPS, antistealth are ok,
  • version 9.0.397.1 > upgrade available 9.0.402.x
  • Windows is not update > install all security updates
    (if you worry by legal thing, use manual selection) you Need to do it!

This error shows a lot, take a look.
"Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied. This is often caused by incorrect security settings in either the writer or requestor process."

 

Just in case that is a terminal on a medical facility, is my suggestion your company (or whatever)

migrate to a ESET Endpoint Security and use ESET Remote Administrator 6.4x.

You have a lot of shared resources, if a ransomware hits you, that will be not good at all.

 

After check what I know and dig into the log, can't find anything suspicious.
As screenshot you send, is Nero. if not want it, remove it.

ESET Staff should tell you better than me if is something.

 

Please take care and do the upgrades (both) that I mention, and furthermore

make some network scan with a full upgraded/updated ESET. I remember some

infections from the past where the origin was a network terminal far away and pop-up

in other.

 

Hope others can bring more light on your problem. :)

Link to comment
Share on other sites

"Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied. This is often caused by incorrect security settings in either the writer or requestor process."

This is why I suspect this incident is ransomware related.  The malware will disable this service so it can delete the shadow volume copies that could be used to possibly restore the encrypted files from.

 

If I were the OP, I would be copying all my personal files to off-line storage and keep that storage device disconnected from the infected PC/network until this matter is resolved.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...