Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mssecsvc.exe keeps appearing


  • Please log in to reply
4 replies to this topic

#1 ucfpirate

ucfpirate

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 20 May 2017 - 10:43 PM

Hello,

 

I have a 2011 small business server essentials that every few hours EMSISoft keeps prompting a quarantine for c:\windows\mssecsvc.exe (Trojan.Ransom.WannaCryptor.H (B)). This server was infected with the Wanna Cry malware so I suspect this is related to that. However, I thought I removed the virus completely before I restored the server data (shared files not OS files). Is it possible this malware is still in the memory somewhere? I've followed all the removal instructions I have found online but can't seem to get rid of this thing. Thanks for your help!



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,893 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:27 AM

Posted 21 May 2017 - 04:26 AM

Welcome to BC...

 

How to remove the WannaCry & Wana Decryptor Ransomware

 

QUOTE:  f a user is infected with the WanaCrypt0r/Wana Decryptor Ransomware then it is important that they remove it immediately. This is because even if you are not going to pay the ransom, while the ransomware is running it will continue to encrypt new files as they are created. This guide will guide victims on how they can remove the WannaCry and Wana Decryptor 2.0 infection from their computer.

This guide, though, will not allow you to decrypt your files for free. This is currently impossible. I will provide steps that you can use to possibly recover files (slim chance unfortunately) and methods you can use to protect your computer from ransomware in the future.

We will not be going into a technical analysis of WanaCrypt0r in this guide as it is designed for the user who just wants the infection removed. If you wish to read a more technical analysis of this ransomware, you can read this article instead: WannaCry / WanaCrypt0r Technical Nose Dive

If there is anything missing or something doesn't make sense, feel free to ask in the Wana Decryptor 2.0 / WannaCry Help & Support Topic.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 ucfpirate

ucfpirate
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 23 May 2017 - 09:56 AM

I followed these instructions the first time, removed the malware/virus, and then installed all missing windows updates but somehow it came back a day or two later.  Luckily Emsisoft was blocking a reinfection. I followed the instructions again last night and removed a bunch of stuff.  I have not received anymore prompts after the second removal.  Hopefully that's it but if not I'll submit an update. Thanks for the help!



#4 buddy215

buddy215

  • BC Advisor
  • 12,893 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:27 AM

Posted 23 May 2017 - 11:27 AM

So, none of your files were encryted by the malware? Sounds like you may have more to remove than just wannacry.

 

Suggest you clean and scan the computer using the programs below.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 ucfpirate

ucfpirate
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 24 May 2017 - 08:35 AM

Actually a bunch of files were encrypted.  Once we noticed they started to change file extensions we shut off the computer until I knew what the fix was. After following the instructions to remove the virus the first time and install all windows updates (they stopped installing for some reason on the server and I had to find a fix for that), I noticed a couple of times a day I would get a prompt from Emsisoft saying Wanna was quarantined.  I have not had any prompts since following the instructions a second time. Malwarebytes didn't show anything. I will run the other stuff suggested to see if it finds anything else. Thanks!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users