Emsisoft Emergency Kit's temp files detected as Trojan:Script/Wacatac.B!ml by Windows Security

[Can't Decide]

09 Dec last week when using EEK to full scan and when it was scanning DDrive Windows Security suddenly block some files inside EEK temp folder. The 2 files got detected blocked and removed as Trojan:Script/Wacatac.B!ml & Trojan:Win32/Wacatac.B!ml and I let EEK finish it scan it come out nothing. I tried full scan again a few more times, it only detected 1 file and removed as Trojan:Win32/Wacatac.B!ml. Since this never happen before I run a full scanned it with Malwarebytes free, adWCleaner, Eset online scanner and Windows defender all come out nothing. I also confirm it's created inside EEK temp folder when it scanning since I monitor it but every time its different name.

Before I ask Emsisoft support for help I tried search about it got 1 from emsisoft forum but Emsisoft forum were gone I can't read about it. Thus, I asked Emsisoft support for help, they said I might be using old version of EEK and try install new version of EEK so I did and the detection is gone. But I don't have the file to send them to check whether its false positive or not, thus, I don't know whether I'm infected or not.

Maybe I'm being paranoid but I want to be sure I'm not infected,
Do I need to submit to Microsoft to check whether is false positive or not? How can I analyze/ check am I infected or not?

Sorry admin, could you please delete my post from Need Advice - EEK Files Detected as Malware by Microsoft Defender. Because I shouldn't have post in a old thread for advice. Thank you.

 

[nasdaq]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Comment: Delete quarantined files.

How to: Delete/Restore quarantined files.

Restore quarantined files in Microsoft Defender Antivirus

You can restore quarantined files and folders in Microsoft Defender Antivirus.

docs.microsoft.com

Follow the directives on the page to delete all the files in the quarantine folder.

Restart the computer when done.
<<<>>>

If additional help is needed run this Scan and post the FRST.TXT and Addition.txt logs.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Please attach the logs for my review.
How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Let me know what problems persists.

Wait for further instructions

p.s.
This program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
OR, you should restore the program from the Quarantine folder.
====

 

[Can't Decide]

For the Delete quarantined files, Microsoft Defender straight away removed it once it got detected and blocked. It only give an option to allow it but the files was removed, thus, I don't think it will have any effect. Furthermore, I also check the (Path: file: C:\Users\_____\AppData\Local\Temp\tmp0000021d\tmp0019f7de) the temp folder and its files also automactically delete itself once Emsisoft Emergency Kit scanned is finished.

The folder(temp0000021d) is created when opening Emsisoft Emergency Kit, everytime it will be different name same goes with the files(tmp0019f7de).

 

[nasdaq]

Hi,
The 0xC000021A error can occur if Winlogon.exe or Csrss.exe stops working. This happens if: There were corrupt system files in the computer .

Run the Farbar scan suggested above and post the logs for my review/

 

[Can't Decide]

Hi,

I did not get 0xC000021A error or I mention anything about 0xC000021A error.
I just stated how the temp folder were created that all and how it removed/ delete themself once EEK scan is finished. Thus, I cannot follow your first step of instruction.

 

[nasdaq]

Hi,

Please run the Farbar program and save the logs.

You can send me these logs via a personal message I will take it from there.

 

[nasdaq]

Hi,

Something went wrong.
Please send me the file at h e n r i 49 * c o l b a t.net


Remove the spaces.

 

[nasdaq]

Do you still need help?

 

[Can't Decide]

Currently no need, As I'm not really comfortable sharing FRST logs.

Thank you for taking your time helping me.