Jump to content

Windows 10 Home infected with Gen:Variant.Razy.88068, Trojan:Patched.Shopperz.1


Recommended Posts

This Windows 10 Home PC was brought to me because of popup ads.

 

Prior to being directed to the forum, I ran MBAM and quarantined about 1,100 objects, and ran EEK and quarantined 56 objects. These runs were in Safe Mode because the PC would not install software when booted normally.

 

EEK reported "The following objects were not removed for your own safety:

C:\WINDOWS\SYSTEM32\DNSAPI.dll

C:\WINDOWS\SysWOW64\dnsapi.dll"

 

At this point I stopped, found the forum, and followed the directions in START HERE.

1. Booted in Normal mode.

2. Ran EEK from C:\EEK, Update, Malware Scan, scan only.

3. Ran FRST64 from flash drive.

 

After clicking Yes on disclaimer, FRST64 posted a window reading "Application Error

Exception EAccessViolation in module ERUNT.exe at 00003A62.

Access violation at address 00403A62 in module 'ERUNT.EXE'. Read of address 0069005C."

Clicked OK.

 

FRST64 posted a window reading "Farbar Recovery Scan Tool (x64) Version: 11-08-2016 01

Failed to update (4)"

Clicked OK.

 

Clicked Scan. Scan completed.

 

Logs for these runs enclosed. Let me know if you want the logs from the runs that took place before I came to the forum.

 

Cheers!

Edward

Addition.txt

FRST.txt

scan_160811-110353.txt

Link to post
Share on other sites

Hello, and welcome to Emsisoft's support forum!

 

There is quite some malware that needs to be removed, but before taking care of that, let's locate a copy to replace the patched dnsapi.dll file with.

 

Please rerun FRST and type dnsapi.* in the Search box. Next click Search Files. Please post the resulting log in your next reply.

Link to post
Share on other sites

That is not a problem, there is so much malware on the computer that I'm not surprised things aren't quite running as they should. :)

 

I have created a script that should take care of most malware, please download and save the following fixlist.txt in the same location as FRST: fixlist.txt

 

Next, rerun FRST and click the Fix button. Please wait for the fix to run and reboot your computer afterwards. Post me the resulting fixlog.txt and let me know how everything is running.

 

Please rerun also an FRST scan (make sure that addition.txt is checked!) and post me addition.txt and frst.txt so I can see what is still left over or what still needs taking care of.

Link to post
Share on other sites
The link that I am trying to download from has title attribute "Download attachment" and href attribute "http://support.emsisoft.com/index.php?app=core&module=attach&section=attach&attach_id=54917".

 

Apparently the attachment is private, because I cannot click to download, nor can I right-click and "save as" to download. Both give me a message that I am not permitted to access the attachment.

 

Here are screenshots showing the link I am using, the left-click results, and the right-click results.

post-43876-0-14952200-1470945752_thumb.png

post-43876-0-90896200-1470945752_thumb.png

post-43876-0-25527800-1470945753_thumb.png

Link to post
Share on other sites

In that case, please copy/paste the text below into Notepad and save it as fixlist.txt (be careful to copy all text, there's quite a bit of it).

CreateRestorePoint:
CloseProcesses:

HKLM\...\Run: [autoauto] => notepad
HKLM\...\Run: [WINCOM8N5] => "C:\Program Files (x86)\mpck\wincom_8N5.exe"
HKLM\...\Run: [gplyra] => C:\Users\SHELLY\AppData\Roaming\gplyra\gplyra.exe
HKLM\...\Run: [applica] => "C:\Program Files (x86)\applica\applica.exe"
HKLM-x32\...\Run: [autoauto] => notepad
HKU\S-1-5-21-1146636213-1722979720-3099339973-1001\...\Run: [bleed] => "C:\Program Files (x86)\fins\workday.exe"
Startup: C:\Users\SHELLY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\allergan.lnk [2016-08-05]
ShortcutTarget: allergan.lnk -> C:\Program Files (x86)\byline\peeve.exe (windows)
Startup: C:\Users\SHELLY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok47649274.lnk [2016-08-05]
ShortcutTarget: ok47649274.lnk -> C:\Program Files (x86)\byline\peeve.exe (windows)
Startup: C:\Users\SHELLY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok47649274allergan.lnk [2016-08-05]
ShortcutTarget: ok47649274allergan.lnk -> C:\Program Files (x86)\trade\mabel.exe (No File)

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyEnable: [S-1-5-21-1146636213-1722979720-3099339973-1001] => Proxy is enabled.
ProxyServer: [S-1-5-21-1146636213-1722979720-3099339973-1001] => http=127.0.0.1:8877;https=127.0.0.1:8877
ManualProxies: 1http=127.0.0.1:8877;https=127.0.0.1:8877

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1146636213-1722979720-3099339973-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR DefaultSearchURL: Default -> hxxp://feed.wizesearch.com/?fext=true&publisherid=51554&publisher=defaultwize&st=ed&q={searchTerms}
CHR DefaultSearchKeyword: Default -> Wize
CHR Extension: (Wize) - C:\Users\SHELLY\AppData\Local\Google\Chrome\User Data\Default\Extensions\feeilhmlfcpfchpbgoknoeefdkbgionj [2016-08-05]
StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe

R2 bc766d77c6b9a0ff2ed67fc2ab47f346; C:\Program Files\bc766d77c6b9a0ff2ed67fc2ab47f346\f38086d319c4b984ba1694864a94e890.exe [4836864 2016-08-03] () [File not signed]
U2 voodoo; C:\WINDOWS\lovebird.exe [7680 2016-08-05] (hankie) [File not signed]
S4 Mobkob; "C:\Users\SHELLY\AppData\Roaming\Lirighk\Lirighk.exe" -cms [X]
S2 Pozlurgh; "C:\Users\SHELLY\AppData\Roaming\GogpuQip\Dogmukqe.exe" -cms [X]
R1 680933b5d11dac8cd53ac0294b9d7133; C:\WINDOWS\system32\drivers\680933b5d11dac8cd53ac0294b9d7133.sys [85088 2016-08-03] (GHSFGW)

2016-08-05 18:30 - 2016-08-05 18:30 - 00000000 ____D C:\WINDOWS\system32\yuu
2016-08-05 18:28 - 2016-08-05 18:28 - 00003452 _____ C:\WINDOWS\System32\Tasks\noob
2016-08-05 11:31 - 2016-08-05 11:31 - 00000000 ____D C:\Users\quint\AppData\Local\tuto_monetize_120160805
2016-08-05 10:50 - 2016-08-11 10:18 - 00031475 _____ C:\WINDOWS\ee34031ade41de58c00df7a9b8a35e5b.ps1
2016-08-05 10:05 - 2016-08-05 18:20 - 00000000 ____D C:\Program Files (x86)\applica
2016-08-05 09:42 - 2016-08-05 09:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Social2Se Browser Enhancer
2016-08-05 09:41 - 2016-08-05 09:42 - 00000000 ____D C:\Program Files\bc766d77c6b9a0ff2ed67fc2ab47f346
2016-08-05 09:41 - 2016-08-05 09:41 - 00000000 ____D C:\Users\quint\AppData\LocalLow012CF610
2016-08-05 09:41 - 2016-08-05 09:41 - 00000000 ____D C:\Users\quint\AppData\LocalLow0000016C9F5F5DC8
2016-08-05 09:40 - 2016-08-10 17:18 - 00000000 ____D C:\Users\SHELLY\AppData\Roaming\Lirighk
2016-08-05 09:40 - 2016-08-10 12:41 - 00000000 ____D C:\Users\SHELLY\AppData\LocalLow\Company
2016-08-05 09:40 - 2016-08-05 09:40 - 00000000 ____D C:\Users\SHELLY\AppData\Local\tuto_monetize_120160805
2016-08-05 09:40 - 2016-08-05 09:40 - 00000000 ____D C:\Users\SHELLY\AppData\Local\Tempfolder
2016-08-05 09:40 - 2016-08-05 09:40 - 00000000 ____D C:\uninst
2016-08-05 09:39 - 2016-08-10 17:18 - 00000000 ____D C:\Users\SHELLY\AppData\Roaming\gplyra
2016-08-05 09:39 - 2016-08-10 17:18 - 00000000 ____D C:\Program Files (x86)\mpck
2016-08-05 09:39 - 2016-08-10 17:18 - 00000000 ____D C:\Program Files (x86)\DPower
2016-08-05 09:13 - 2016-08-05 18:26 - 00000000 ____D C:\WINDOWS\System32\Tasks\PC360
2016-08-05 09:12 - 2016-08-05 18:26 - 00000000 ____D C:\Program Files (x86)\PCBackup360
2016-08-05 09:11 - 2016-08-05 09:12 - 00000000 ____D C:\Program Files (x86)\PC_Support
2016-08-05 09:11 - 2016-08-05 09:11 - 00000000 ____D C:\Users\quint\AppData\Local\CEF
2016-08-05 09:10 - 2016-08-11 11:23 - 00004396 _____ C:\WINDOWS\System32\Tasks\b57070307
2016-08-05 09:10 - 2016-08-11 11:23 - 00004396 _____ C:\WINDOWS\System32\Tasks\a57070307
2016-08-05 09:09 - 2016-08-10 12:41 - 00000000 ____D C:\Program Files (x86)\S5
2016-08-05 09:09 - 2016-08-05 09:09 - 00000000 ____D C:\Users\SHELLY\AppData\Roaming\c
2016-08-05 09:09 - 2016-08-05 09:09 - 00000000 ____D C:\ProgramData\1470406175
2016-08-05 09:03 - 2016-08-10 17:18 - 00000000 ____D C:\Program Files (x86)\touchingly
2016-08-05 09:03 - 2016-08-10 17:18 - 00000000 ____D C:\Program Files (x86)\fins
2016-08-05 09:03 - 2016-08-10 12:41 - 00000000 ____D C:\Program Files (x86)\trade
2016-08-05 09:03 - 2016-08-05 09:03 - 00000000 ____D C:\Users\quint\AppData\Roaming\Itibiti
2016-08-05 09:03 - 2016-08-05 09:03 - 00000000 ____D C:\Program Files (x86)\MyInternet
2016-08-05 09:02 - 2016-08-10 14:10 - 00000000 ____D C:\Program Files (x86)\byline
2016-08-05 09:02 - 2016-08-05 10:05 - 00061844 _____ C:\Users\SHELLY\AppData\Local\setupone.exe
2016-08-05 09:02 - 2016-08-05 09:09 - 00000003 _____ C:\Users\SHELLY\AppData\Local\aatxtname.txt
2016-08-05 09:02 - 2016-08-05 09:05 - 00000000 _____ C:\Users\SHELLY\AppData\Local\stxtname.txt
2016-08-05 09:02 - 2016-08-05 09:04 - 00000000 ____D C:\a
2016-08-05 05:52 - 2016-08-05 05:52 - 00007680 _____ (within) C:\WINDOWS\pacman.exe
2016-08-05 05:51 - 2016-08-05 05:51 - 00041203 _____ C:\WINDOWS\whiteman.exe
2016-08-05 05:51 - 2016-08-05 05:51 - 00020992 _____ (windows) C:\WINDOWS\portions.exe
2016-08-05 05:51 - 2016-08-05 05:51 - 00007680 _____ (hankie) C:\WINDOWS\lovebird.exe
2016-08-05 09:46 - 2016-08-05 09:46 - 7129600 _____ () C:\Users\SHELLY\AppData\Roaming\agent.dat
2016-08-05 09:46 - 2016-08-05 09:46 - 0070896 _____ () C:\Users\SHELLY\AppData\Roaming\Config.xml
2016-08-05 09:47 - 2016-08-05 09:47 - 2279413 _____ () C:\Users\SHELLY\AppData\Roaming\Danex.bin
2016-08-05 09:46 - 2016-08-05 09:46 - 1906624 _____ () C:\Users\SHELLY\AppData\Roaming\Ecoron.tst
2016-08-05 09:39 - 2016-08-05 09:41 - 0018336 _____ () C:\Users\SHELLY\AppData\Roaming\InstallationConfiguration.xml
2016-08-05 09:39 - 2016-08-05 09:39 - 0138240 _____ () C:\Users\SHELLY\AppData\Roaming\Installer.dat
2016-08-05 09:46 - 2016-08-05 09:46 - 0018432 _____ () C:\Users\SHELLY\AppData\Roaming\Main.dat
2016-08-05 09:46 - 2016-08-05 09:46 - 0005568 _____ () C:\Users\SHELLY\AppData\Roaming\md.xml
2016-08-05 09:46 - 2016-08-05 09:46 - 0126464 _____ () C:\Users\SHELLY\AppData\Roaming\noah.dat
2016-08-05 09:02 - 2016-08-05 09:09 - 0000003 _____ () C:\Users\SHELLY\AppData\Local\aatxtname.txt
2016-08-02 07:52 - 2016-08-02 07:52 - 0007168 _____ () C:\Users\SHELLY\AppData\Local\cap4.exe
2016-08-05 10:44 - 2016-08-05 10:45 - 0000000 _____ () C:\Users\SHELLY\AppData\Local\icka34931428.txt
2016-03-18 00:00 - 2016-03-18 00:00 - 0000000 _____ () C:\Users\SHELLY\AppData\Local\ok223.txt
2016-08-05 09:02 - 2016-08-05 09:02 - 0000000 _____ () C:\Users\SHELLY\AppData\Local\run.txt
2016-08-05 09:02 - 2016-08-05 10:05 - 0061844 _____ () C:\Users\SHELLY\AppData\Local\setupone.exe
2016-08-05 09:05 - 2016-08-05 09:05 - 0000001 _____ () C:\Users\SHELLY\AppData\Local\setupsuccessful.txt
2016-08-05 09:02 - 2016-08-05 09:05 - 0000000 _____ () C:\Users\SHELLY\AppData\Local\stxtname.txt
2016-08-05 09:02 - 2016-08-05 09:02 - 0000000 _____ () C:\Users\SHELLY\AppData\Local\tr5b.txt
2016-08-05 09:03 - 2016-08-05 09:03 - 0002560 _____ () C:\Users\SHELLY\AppData\Local\uninstallssl.exe

Task: {1F86E041-D276-4C44-96B0-C2A32B49D57E} - System32\Tasks\ab06AvVzR86j0hlOY3bLxN-ni-2016-08-05-ni-16145-ni-1 => C:\Program Files (x86)\byline\peeve.exe [2016-08-05] (windows)
Task: {6BAC13E5-0734-482B-82D1-DED1DEE82043} - System32\Tasks\176749614 => C:\Program Files (x86)\fins\workday.exe <==== ATTENTION
Task: {76E2EA71-7777-4165-8094-F9FB961C57EA} - System32\Tasks\b57070307 => C:\Program Files (x86)\fins\workday.exe
Task: {8883841D-DEF5-4FA1-ADBD-7E2B932380B8} - System32\Tasks\ee34031ade41de58c00df7a9b8a35e5b => powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File C:\WINDOWS\ee34031ade41de58c00df7a9b8a35e5b.ps1 <==== ATTENTION
Task: {8DA6339C-B437-4BAB-B3F7-02102FF53D41} - System32\Tasks\a57070307 => C:\Program Files (x86)\byline\peeve.exe [2016-08-05] (windows)
Task: {98309A30-0E7C-4A9A-8711-6D5B8FB02074} - System32\Tasks\276749614 => C:\Program Files (x86)\fins\workday.exe <==== ATTENTION
Task: {C35AD0EE-7A2B-4137-BF26-6B86F3E2C7AC} - System32\Tasks\noob => C:\ProgramData\Lamzap\Lamzap.exe <==== ATTENTION
Task: {CE7C480E-E23D-4BE4-B3D8-D007387A6978} - System32\Tasks\PC360\PC360Runner\PC360_11006 => C:\Program Files (x86)\PCBackup360\PC360\pc360_osquuqligbbksazf.exe [2016-08-05] ()
Task: {E2F50D8C-3884-41F3-9F6A-E7700548469D} - System32\Tasks\dc06AvVzR86j0hlOY3bLxN-ni-2016-08-05-ni-16145-ni-1 => C:\Program Files (x86)\byline\peeve.exe [2016-08-05] (windows)

ShortcutWithArgument: C:\Users\SHELLY\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe () -> %SNP% --disable-quic
ShortcutWithArgument: C:\Users\SHELLY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Istation.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe () ->  --profile-directory=Default --app-id=kglanclfgliekimcflbfmcjohpikhchb
ShortcutWithArgument: C:\Users\SHELLY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Videostream for Google Chromecast™.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe () ->  --profile-directory=Default --app-id=cnciopoikihiagdjbjpnocolokfelagl
ShortcutWithArgument: C:\Users\SHELLY\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe () -> %SNP% --disable-quic
ShortcutWithArgument: C:\Users\SHELLY\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe () -> %SNP% --disable-quic
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe () -> %SNP% --disable-quic

replace: C:\Windows\WinSxS\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.212_none_02b4dd7d82149e68\dnsapi.dll C:\Windows\System32\dnsapi.dll

Hosts:
EmptyTemp:




Link to post
Share on other sites

I created fixlist.txt, ran a Fix on the infected PC, and rebooted.

 

Fixlog.txt

 

(Just FYI, the reboot triggered Windows Update, because the messages "Getting Windows ready" and "Working on updates" came up and the system rebooted twice. So there have been some Windows fixes just installed.)

 

After the update I re-ran RST64 with the "addition.txt" option checked.

 

FRST.txt

Addition.txt

Link to post
Share on other sites

Okay, that is looking a lot better, can you tell me how the machine is behaving now? 

I see I forgot the replacement for the 32 bit copy of the dnsapi.dll file, so let's do that with the following script (run it the same way as last time):

replace: C:\Windows\WinSxS\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.212_none_0d0987cfb6756063\dnsapi.dll C:\Windows\SysWOW64\dnsapi.dll
Link to post
Share on other sites

Results:

Fixlog.txt

FRST.txt

Addition.txt

 

As for how it is working:

The popups are gone.

I have done some simple things, such as open a browser.

 

If you feel the PC is ready, I will return it to the user and wait to see if she finds anything unusual.

 

I have some final steps to take, bearing in mind the PC was infected by a child who learned his mother's password:

- check virus protection, firewall, and automatic update settings

- move administrator level access to a separate user profile

- put new strong passwords on all user profiles

- add screen saver with password protection

Link to post
Share on other sites

Can you please rerun EEK, update it and click the Scan tab. Do another malware scan and post me the results.

 

From what I can see the infection resulted from a PUP installer that brought along quite some friends. :) The countermeasures you put into place should indeed reduce the risks of that happening again, although, I strongly suggest also explaining to the computer user(s) the dangers of just clicking "next" when running installers without checking what will be installed.

Link to post
Share on other sites

Results:

Scan_160811-165749.txt

 

I am seeing one issue possibly related to the infection. According to the Security and Maintenance control panel, Windows Defender is configured as real-time virus protection and is turned off. I cannot turn it on, and cannot run Windows Defender: "This app is turned off by group policy."

 

From my reading, I can turn it on at registry key "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" by deleting the value named "DisableAntiSpyware". Do you agree this is the correct action to take?

 

I agree perfectly with your advice to the user.

Link to post
Share on other sites

This is not the correct scan log. :) Please open EEK, click the Log tab and then on Scan. Now double click the first entry in the list and copy/paste the contents of that text file in your next reply.

 

As for Windows Defender, yes you can try that. If it doesn't work, please let me know.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...