Solved Win32/Uwasson.A!ml

ndxc

Thread Starter
Joined
Jan 9, 2020
Messages
29
Hello!

After installing a private server from a game called Aion, I've started getting these malware alerts by Windows Defender.
I can't remove it through WinDefender, it keeps getting detected even after I click to remove it. The game is already uninstalled but malware stayed it seems.

Please help.
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,440
Fass Post Preview
Hello ndxc and welcome to TSG....

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

or,

https://downloads.malwarebytes.com/file/mb4_offline

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "security tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:

  • Single click on the target sight above scanner window.
  • In the new window select Report
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply


  • Please use "Export to Txt" then attach the log to your reply...

Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror

  • Right-click on AdwCleaner.exe and select
    user posted image
    Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...

  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image

  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Let me see those logs in your reply...

Thank you,

Kevin....
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,440
Hello ndxc,

Thanks for those logs, do not see any obvious Malware or Infection in FRST logs...

Run FRST one more time:

Type or copy/paste the following in the edit box after "Search:".

*Aion*

Click Search Registry button and post the log (Search.txt) it makes to your reply.



Thanks

Kevin
 

ndxc

Thread Starter
Joined
Jan 9, 2020
Messages
29
Yes, I've noticed it hasn't been caught.
Let me explain you something quickly to avoid confusion while checking logs. I had Aion official server (S: drive) and Aion private server (Infinity Aion) on G: drive both installed.

Windows Defender detected a malware on the file "G:\Infinity Aion\bin64\Aion.bin". But I already removed both Aion installations from my PC. I also created a restore point prior to installing Infinity Aion (the one on G: drive that came with a malware) and did a restore then uninstalled it, in that order.

Maybe it's no longer there but somehow Windows Defender notifications bugged because of that restore point?

Because I keep getting a yellow mark on WinDefender even though my PC seems clear of it. I'll attach some screenshots.

I just noticed something odd, notice how Malwarebytes is turned on (alert1.jpg) and on Security glance window show it's everything safe but on my WinDefender icon there's still a yellow notification. But when I turned off Malwarebytes, Security glance window changes (alert2a.jpg). It points there's something wrong under App & browser control. When I click Review (alert2b.jpg), it shows there's an active detection of Uwasson on 8/4 (the day I installed Infinity Aion) but if I choose to take action and click on Remove, nothing happens and that yellow notification won't go away. So I'm not entirely sure if malware is really gone.
 

Attachments

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,440
Hiya ndxc,

There several entries for AION showing in the reg search log, there is also a reference to AION in a restore point. I can give a fix to remove the registry entries if you want. For system restore you would have to Remove all restore points and then create a new fresh restore point.
As you suspect your system is still infected run the following:


Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Select the Windows Key and R Key together, the "Run" box should open.



Drag and Drop KVRT.exe into the Run Box.



C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.



add -dontcryptsupportinfo Note the space between KVRT.exe and -dontcryptsupportinfo

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontcryptsupportinfo
should now show in the Run box.



That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20200727_103821.klr Right click direct onto that report, select > open with > Notepad. Save that file and attach to your reply.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window will open, select "More Info"



A new Window will open, select "Run anyway"



A EULA window will open, tick both confirmation boxes then select "Accept"



In the new window select "Change Parameters"



In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...



When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"



When complete, or if nothing was found select "Close"



Attach the report information as previously instructed....

Let me see those logsin your reply, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin..
 
Last edited:

ndxc

Thread Starter
Joined
Jan 9, 2020
Messages
29
Hi Kevin, do you think it's necessary a fix for registry entries? I don't really mind, I think the PC is actually clear.

KVRT also didn't pick up anything as you can check in the log. It was probably just WinDefender notification alert that stayed bugged somehow, I just clicked on "Allow" and now it's gone.

Thank you very much for your support, sir!

P.s. One last question, how could I remove these tools from my PC properly? The only one I can see on "Add or remove programs" is Malwarebytes.
 

Attachments

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,440
There is no need to make the registry fix, they can be left alone. Continue to clean up:

Uninstall the following program (unless you want to keep it):

Malwarebytes Also delete this folder if still present C:\ProgramData\Malwarebytes

Also delete the following folders if still present:

C:\Program Data
C:\Program Files

http://www.askvg.com/how-to-complet...-in-windows-without-using-3rd-party-software/


Next,

Delete AdwCleaner.exe from the Desktop or the folder it was saved to, also delete this folder if present: C:\AdwCleaner

Next,

Delete KVRT.exe from the Desktop or the folder it was saved to, also delete this folder if present KVRT_data

Right click on FRST here: C:\Users\gbrle\Desktop\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin...
 
Last edited:

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,440
You`re very welcome ndxc, it was a pleasure to work with you....

Regards,

Kevin..
 

Users Who Are Viewing This Thread (Users: 0, Guests: 2)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top