# Closed Windows 10 Home infected with Gen:Variant.Razy.88068, Trojan:Patched.Shopperz.1

## Recommended Posts

This Windows 10 Home PC was brought to me because of popup ads.

Prior to being directed to the forum, I ran MBAM and quarantined about 1,100 objects, and ran EEK and quarantined 56 objects. These runs were in Safe Mode because the PC would not install software when booted normally.

EEK reported "The following objects were not removed for your own safety:

C:\WINDOWS\SYSTEM32\DNSAPI.dll

C:\WINDOWS\SysWOW64\dnsapi.dll"

At this point I stopped, found the forum, and followed the directions in START HERE.

1. Booted in Normal mode.

2. Ran EEK from C:\EEK, Update, Malware Scan, scan only.

3. Ran FRST64 from flash drive.

After clicking Yes on disclaimer, FRST64 posted a window reading "Application Error

Exception EAccessViolation in module ERUNT.exe at 00003A62.

Clicked OK.

FRST64 posted a window reading "Farbar Recovery Scan Tool (x64) Version: 11-08-2016 01

Failed to update (4)"

Clicked OK.

Clicked Scan. Scan completed.

Logs for these runs enclosed. Let me know if you want the logs from the runs that took place before I came to the forum.

Cheers!

Edward

FRST.txt

scan_160811-110353.txt

##### Share on other sites

Hello, and welcome to Emsisoft's support forum!

There is quite some malware that needs to be removed, but before taking care of that, let's locate a copy to replace the patched dnsapi.dll file with.

##### Share on other sites

Thank you for your kind welcome.

Same as before, FRST posted errors and failed to update. Then it allowed me to perform the search you requested.

Search.txt is enclosed.

##### Share on other sites

That is not a problem, there is so much malware on the computer that I'm not surprised things aren't quite running as they should.

I have created a script that should take care of most malware, please download and save the following fixlist.txt in the same location as FRST: fixlist.txt

Next, rerun FRST and click the Fix button. Please wait for the fix to run and reboot your computer afterwards. Post me the resulting fixlog.txt and let me know how everything is running.

Please rerun also an FRST scan (make sure that addition.txt is checked!) and post me addition.txt and frst.txt so I can see what is still left over or what still needs taking care of.

##### Share on other sites

Getting a message from this website "You do not have permission to view this attachment" when I try to download and save fixlist.txt. How do I recover?

##### Share on other sites

Can you try to Right click the link and select "save as"? If that doesn't work, try to download it on a clean computer and transfer it using an usb drive.

##### Share on other sites

The problem is occurring on a clean computer.

Right click and "save as" offers to save the file index.php. The browser reports "Failed - Forbidden".

##### Share on other sites

Apparently the attachment is private, because I cannot click to download, nor can I right-click and "save as" to download. Both give me a message that I am not permitted to access the attachment.

Here are screenshots showing the link I am using, the left-click results, and the right-click results.

##### Share on other sites

In that case, please copy/paste the text below into Notepad and save it as fixlist.txt (be careful to copy all text, there's quite a bit of it).

CreateRestorePoint:
CloseProcesses:

HKLM\...\Run: [WINCOM8N5] => "C:\Program Files (x86)\mpck\wincom_8N5.exe"
HKLM\...\Run: [gplyra] => C:\Users\SHELLY\AppData\Roaming\gplyra\gplyra.exe
HKLM\...\Run: [applica] => "C:\Program Files (x86)\applica\applica.exe"
HKU\S-1-5-21-1146636213-1722979720-3099339973-1001\...\Run: [bleed] => "C:\Program Files (x86)\fins\workday.exe"
ShortcutTarget: allergan.lnk -> C:\Program Files (x86)\byline\peeve.exe (windows)
ShortcutTarget: ok47649274.lnk -> C:\Program Files (x86)\byline\peeve.exe (windows)
ShortcutTarget: ok47649274allergan.lnk -> C:\Program Files (x86)\trade\mabel.exe (No File)

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyEnable: [S-1-5-21-1146636213-1722979720-3099339973-1001] => Proxy is enabled.
ProxyServer: [S-1-5-21-1146636213-1722979720-3099339973-1001] => http=127.0.0.1:8877;https=127.0.0.1:8877
ManualProxies: 1http=127.0.0.1:8877;https=127.0.0.1:8877

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1146636213-1722979720-3099339973-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR DefaultSearchURL: Default -> hxxp://feed.wizesearch.com/?fext=true&publisherid=51554&publisher=defaultwize&st=ed&q={searchTerms}
CHR DefaultSearchKeyword: Default -> Wize
CHR Extension: (Wize) - C:\Users\SHELLY\AppData\Local\Google\Chrome\User Data\Default\Extensions\feeilhmlfcpfchpbgoknoeefdkbgionj [2016-08-05]

R2 bc766d77c6b9a0ff2ed67fc2ab47f346; C:\Program Files\bc766d77c6b9a0ff2ed67fc2ab47f346\f38086d319c4b984ba1694864a94e890.exe [4836864 2016-08-03] () [File not signed]
U2 voodoo; C:\WINDOWS\lovebird.exe [7680 2016-08-05] (hankie) [File not signed]
S4 Mobkob; "C:\Users\SHELLY\AppData\Roaming\Lirighk\Lirighk.exe" -cms [X]
S2 Pozlurgh; "C:\Users\SHELLY\AppData\Roaming\GogpuQip\Dogmukqe.exe" -cms [X]
R1 680933b5d11dac8cd53ac0294b9d7133; C:\WINDOWS\system32\drivers\680933b5d11dac8cd53ac0294b9d7133.sys [85088 2016-08-03] (GHSFGW)

2016-08-05 18:30 - 2016-08-05 18:30 - 00000000 ____D C:\WINDOWS\system32\yuu
2016-08-05 18:28 - 2016-08-05 18:28 - 00003452 _____ C:\WINDOWS\System32\Tasks\noob
2016-08-05 11:31 - 2016-08-05 11:31 - 00000000 ____D C:\Users\quint\AppData\Local\tuto_monetize_120160805
2016-08-05 10:50 - 2016-08-11 10:18 - 00031475 _____ C:\WINDOWS\ee34031ade41de58c00df7a9b8a35e5b.ps1
2016-08-05 10:05 - 2016-08-05 18:20 - 00000000 ____D C:\Program Files (x86)\applica
2016-08-05 09:42 - 2016-08-05 09:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Social2Se Browser Enhancer
2016-08-05 09:41 - 2016-08-05 09:42 - 00000000 ____D C:\Program Files\bc766d77c6b9a0ff2ed67fc2ab47f346
2016-08-05 09:41 - 2016-08-05 09:41 - 00000000 ____D C:\Users\quint\AppData\LocalLow012CF610
2016-08-05 09:41 - 2016-08-05 09:41 - 00000000 ____D C:\Users\quint\AppData\LocalLow0000016C9F5F5DC8
2016-08-05 09:40 - 2016-08-10 17:18 - 00000000 ____D C:\Users\SHELLY\AppData\Roaming\Lirighk
2016-08-05 09:40 - 2016-08-10 12:41 - 00000000 ____D C:\Users\SHELLY\AppData\LocalLow\Company
2016-08-05 09:40 - 2016-08-05 09:40 - 00000000 ____D C:\Users\SHELLY\AppData\Local\tuto_monetize_120160805
2016-08-05 09:40 - 2016-08-05 09:40 - 00000000 ____D C:\Users\SHELLY\AppData\Local\Tempfolder
2016-08-05 09:40 - 2016-08-05 09:40 - 00000000 ____D C:\uninst
2016-08-05 09:39 - 2016-08-10 17:18 - 00000000 ____D C:\Users\SHELLY\AppData\Roaming\gplyra
2016-08-05 09:39 - 2016-08-10 17:18 - 00000000 ____D C:\Program Files (x86)\mpck
2016-08-05 09:39 - 2016-08-10 17:18 - 00000000 ____D C:\Program Files (x86)\DPower
2016-08-05 09:13 - 2016-08-05 18:26 - 00000000 ____D C:\WINDOWS\System32\Tasks\PC360
2016-08-05 09:12 - 2016-08-05 18:26 - 00000000 ____D C:\Program Files (x86)\PCBackup360
2016-08-05 09:11 - 2016-08-05 09:12 - 00000000 ____D C:\Program Files (x86)\PC_Support
2016-08-05 09:11 - 2016-08-05 09:11 - 00000000 ____D C:\Users\quint\AppData\Local\CEF
2016-08-05 09:10 - 2016-08-11 11:23 - 00004396 _____ C:\WINDOWS\System32\Tasks\b57070307
2016-08-05 09:10 - 2016-08-11 11:23 - 00004396 _____ C:\WINDOWS\System32\Tasks\a57070307
2016-08-05 09:09 - 2016-08-10 12:41 - 00000000 ____D C:\Program Files (x86)\S5
2016-08-05 09:09 - 2016-08-05 09:09 - 00000000 ____D C:\Users\SHELLY\AppData\Roaming\c
2016-08-05 09:09 - 2016-08-05 09:09 - 00000000 ____D C:\ProgramData\1470406175
2016-08-05 09:03 - 2016-08-10 17:18 - 00000000 ____D C:\Program Files (x86)\touchingly
2016-08-05 09:03 - 2016-08-10 17:18 - 00000000 ____D C:\Program Files (x86)\fins
2016-08-05 09:03 - 2016-08-10 12:41 - 00000000 ____D C:\Program Files (x86)\trade
2016-08-05 09:03 - 2016-08-05 09:03 - 00000000 ____D C:\Users\quint\AppData\Roaming\Itibiti
2016-08-05 09:03 - 2016-08-05 09:03 - 00000000 ____D C:\Program Files (x86)\MyInternet
2016-08-05 09:02 - 2016-08-10 14:10 - 00000000 ____D C:\Program Files (x86)\byline
2016-08-05 09:02 - 2016-08-05 10:05 - 00061844 _____ C:\Users\SHELLY\AppData\Local\setupone.exe
2016-08-05 09:02 - 2016-08-05 09:09 - 00000003 _____ C:\Users\SHELLY\AppData\Local\aatxtname.txt
2016-08-05 09:02 - 2016-08-05 09:05 - 00000000 _____ C:\Users\SHELLY\AppData\Local\stxtname.txt
2016-08-05 09:02 - 2016-08-05 09:04 - 00000000 ____D C:\a
2016-08-05 05:52 - 2016-08-05 05:52 - 00007680 _____ (within) C:\WINDOWS\pacman.exe
2016-08-05 05:51 - 2016-08-05 05:51 - 00041203 _____ C:\WINDOWS\whiteman.exe
2016-08-05 05:51 - 2016-08-05 05:51 - 00020992 _____ (windows) C:\WINDOWS\portions.exe
2016-08-05 05:51 - 2016-08-05 05:51 - 00007680 _____ (hankie) C:\WINDOWS\lovebird.exe
2016-08-05 09:46 - 2016-08-05 09:46 - 7129600 _____ () C:\Users\SHELLY\AppData\Roaming\agent.dat
2016-08-05 09:46 - 2016-08-05 09:46 - 0070896 _____ () C:\Users\SHELLY\AppData\Roaming\Config.xml
2016-08-05 09:47 - 2016-08-05 09:47 - 2279413 _____ () C:\Users\SHELLY\AppData\Roaming\Danex.bin
2016-08-05 09:46 - 2016-08-05 09:46 - 1906624 _____ () C:\Users\SHELLY\AppData\Roaming\Ecoron.tst
2016-08-05 09:39 - 2016-08-05 09:41 - 0018336 _____ () C:\Users\SHELLY\AppData\Roaming\InstallationConfiguration.xml
2016-08-05 09:39 - 2016-08-05 09:39 - 0138240 _____ () C:\Users\SHELLY\AppData\Roaming\Installer.dat
2016-08-05 09:46 - 2016-08-05 09:46 - 0018432 _____ () C:\Users\SHELLY\AppData\Roaming\Main.dat
2016-08-05 09:46 - 2016-08-05 09:46 - 0005568 _____ () C:\Users\SHELLY\AppData\Roaming\md.xml
2016-08-05 09:46 - 2016-08-05 09:46 - 0126464 _____ () C:\Users\SHELLY\AppData\Roaming\noah.dat
2016-08-05 09:02 - 2016-08-05 09:09 - 0000003 _____ () C:\Users\SHELLY\AppData\Local\aatxtname.txt
2016-08-02 07:52 - 2016-08-02 07:52 - 0007168 _____ () C:\Users\SHELLY\AppData\Local\cap4.exe
2016-08-05 10:44 - 2016-08-05 10:45 - 0000000 _____ () C:\Users\SHELLY\AppData\Local\icka34931428.txt
2016-03-18 00:00 - 2016-03-18 00:00 - 0000000 _____ () C:\Users\SHELLY\AppData\Local\ok223.txt
2016-08-05 09:02 - 2016-08-05 09:02 - 0000000 _____ () C:\Users\SHELLY\AppData\Local\run.txt
2016-08-05 09:02 - 2016-08-05 10:05 - 0061844 _____ () C:\Users\SHELLY\AppData\Local\setupone.exe
2016-08-05 09:05 - 2016-08-05 09:05 - 0000001 _____ () C:\Users\SHELLY\AppData\Local\setupsuccessful.txt
2016-08-05 09:02 - 2016-08-05 09:05 - 0000000 _____ () C:\Users\SHELLY\AppData\Local\stxtname.txt
2016-08-05 09:02 - 2016-08-05 09:02 - 0000000 _____ () C:\Users\SHELLY\AppData\Local\tr5b.txt
2016-08-05 09:03 - 2016-08-05 09:03 - 0002560 _____ () C:\Users\SHELLY\AppData\Local\uninstallssl.exe

ShortcutWithArgument: C:\Users\SHELLY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Istation.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe () ->  --profile-directory=Default --app-id=kglanclfgliekimcflbfmcjohpikhchb
ShortcutWithArgument: C:\Users\SHELLY\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe () -> %SNP% --disable-quic
ShortcutWithArgument: C:\Users\SHELLY\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%

Hosts:
EmptyTemp:


##### Share on other sites

I created fixlist.txt, ran a Fix on the infected PC, and rebooted.

Fixlog.txt

(Just FYI, the reboot triggered Windows Update, because the messages "Getting Windows ready" and "Working on updates" came up and the system rebooted twice. So there have been some Windows fixes just installed.)

After the update I re-ran RST64 with the "addition.txt" option checked.

FRST.txt

##### Share on other sites

Okay, that is looking a lot better, can you tell me how the machine is behaving now?

I see I forgot the replacement for the 32 bit copy of the dnsapi.dll file, so let's do that with the following script (run it the same way as last time):

replace: C:\Windows\WinSxS\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.212_none_0d0987cfb6756063\dnsapi.dll C:\Windows\SysWOW64\dnsapi.dll

##### Share on other sites

Results:

Fixlog.txt

FRST.txt

As for how it is working:

The popups are gone.

I have done some simple things, such as open a browser.

If you feel the PC is ready, I will return it to the user and wait to see if she finds anything unusual.

I have some final steps to take, bearing in mind the PC was infected by a child who learned his mother's password:

- check virus protection, firewall, and automatic update settings

- put new strong passwords on all user profiles

##### Share on other sites

Can you please rerun EEK, update it and click the Scan tab. Do another malware scan and post me the results.

From what I can see the infection resulted from a PUP installer that brought along quite some friends. The countermeasures you put into place should indeed reduce the risks of that happening again, although, I strongly suggest also explaining to the computer user(s) the dangers of just clicking "next" when running installers without checking what will be installed.

##### Share on other sites

Results:

Scan_160811-165749.txt

I am seeing one issue possibly related to the infection. According to the Security and Maintenance control panel, Windows Defender is configured as real-time virus protection and is turned off. I cannot turn it on, and cannot run Windows Defender: "This app is turned off by group policy."

From my reading, I can turn it on at registry key "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" by deleting the value named "DisableAntiSpyware". Do you agree this is the correct action to take?

##### Share on other sites

This is not the correct scan log. Please open EEK, click the Log tab and then on Scan. Now double click the first entry in the list and copy/paste the contents of that text file in your next reply.

As for Windows Defender, yes you can try that. If it doesn't work, please let me know.

##### Share on other sites

Results:

scan_160811-165606.txt

Windows Defender is now running.

##### Share on other sites

That looks pretty good, is any other problem remaining?

##### Share on other sites

Thank you for all your help. I am returning the PC to the user in much better condition than it was when I came to you for help.

##### Share on other sites

You're most welcome.

As this issue appears to be resolved, I will lock this topic. If you need it reopened, please send me a Personal Message.