Windows 10: WD says I have a trojan at every boot

Hello.

Windows Defender says I have a trojan on every boot buy when I check WD Security Center there is nothing there.

I haven't noticed anything weird but the message is getting on my nerves.

Ran AdwCleaner and it came up clean.

This is the report and suspected file via Powershell:

CategoryID : 8
DidThreatExecute : False
IsActive : False
Resources : {file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\CRDA093Q\deploy[1].xml,
file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\R5XBHIFN\deploy[1].xml,
file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\XYO5Y5ZK\deploy[1].xml}
RollupStatus : 33
SchemaVersion : 1.0.0.0
SeverityID : 5
ThreatID : 2147722737
ThreatName : Trojan:JS/Runsas
TypeID : 0
PSComputerName :


ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.11.15063.447
CleaningActionID : 2
CurrentThreatExecutionStatusID : 1
DetectionID : {296FDAD3-8D05-4216-BD74-D3E87F3DB9C5}
DetectionSourceTypeID : 3
DomainUser : LABUSQUEDA\LaBusqueda
InitialDetectionTime : 26/07/2017 9:34:25
LastThreatStatusChangeTime : 26/07/2017 9:34:58
ProcessName : C:\Windows\System32\regsvr32.exe
RemediationTime : 26/07/2017 9:34:58
Resources : {file:_C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache\IE\R5XBHIFN\deploy[1].xml}
ThreatID : 2147722737
ThreatStatusErrorCode : 0
ThreatStatusID : 3
PSComputerName :

That file isn't present because I emptied all my browsers caches.

Any ideas on how to proceed?

TIA

:)

 

I have been infected with Trojan: JS/BlacoleRef.CC

I got a message from Windows Defender (WD) about been infected by this trojan, JS/BlacoleRef.CC, and I said yes to its deletion asking. Afterwards, as recommended, I ran a full scan of WD and it did not appear back but now all options in WD settings
are not accessible. I was trying to see excluded files. What to do?

[Original Title: Trojan: JS/BlacoleRef.CC]

 

Windows Defender cannot remove Trojan:BAT/Poweliks.A

Hello,

If I only have one dllhost running does that mean I don't have the Poweliks Trojan? even though windows defender on occasion, especially while booting up says I have a Trojan threat?

thanks, Barbb

 

Can you try running the Eset Online Scanner.

 

Yes. I have already thought about running an AV program offline but I cannot right now. It's a work PC.

I will check it later. I may run WD offline too to have a second opinion.

Thank you very much.

 

This is the opposite, its their online scanner, you don't have to install the full program, just enough to get a scan going.

An offline scan wouldn't hurt either *Biggrin

 

Sign onto another account and delete the C:\Users\LaBusqueda\AppData\Local\Microsoft\Windows\INetCache folder.

It will be regenerated next time you log on.

 

It might be a fileless malware. Check startup entries, particularly scheduled tasks.

Autoruns for Windows - Windows Sysinternals | Microsoft Docs

 

Try an offline scan, open WD security center, click advanced on the scan section, select offline scan and click scan then click scan and follow the on-screen instructions

 

Maybe try SuperAntiSpyware Free?
RUNSAS.EXE - Trojan.Agent/Gen-Renamer | SUPERAntiSpyware

Honestly never heard of this one, but worth a try.

It could also be a FP, because that is the file name of SuperAntiSpyware's Alternate Start Tool

 

In the end I restored a Macrium Reflect backup copy. Now I have to investigate where and how I caught that. I have made some changes to WD to strengthen security (enable pua dectection) and I have installed MBAE (which wasn't installed).

 

Surprised you've never heard of SAS, its pretty well known on these forums. Its mostly used for scanning for malicious cookies which it does very well.

 

Oh no - I meant I'd never heard of the infection; SAS I've used for years. *Wink

 

If you ever figure it out, would be interesting to know!

 

As far as I know, it was some virus from the Gamarue family or such. I plug in a lot of infected usb sticks, it could have come from there (not very probably) or something we clicked while browsing the web. It's hard to know.