Jump to content

Help for remove malware


Recommended Posts

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-370668094-1905685230-1647023283-1001\...\Run: [AdobeBridge] => [X]
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{73FA19D0-2D75-11D2-995D-00C04F98BBC9}] -> 
AppInit_DLLs-x32: C:\PROGRA~1\COMMON~1\System\symsrv.dll => C:\Program Files\Common Files\System\symsrv.dll [69337 2021-10-14] (Microsoft Corporation) [File not signed] <==== ATTENTION
IFEO\osppsvc.exe: [Debugger] rundll32.exe SppExtComObjHook.dll,PatcherMain
IFEO\SppExtComObj.exe: [Debugger] rundll32.exe SppExtComObjHook.dll,PatcherMain
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {FC531EE0-7EDF-4258-B99D-B6FFA3515AC2} - System32\Tasks\KMSAutoNet => C:\ProgramData\KMSAutoS\KMSAuto Net.exe
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
FirewallRules: [{004A0256-BBE7-402F-9672-9DEB5EF0BC31}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe => No File
FirewallRules: [{0F654D76-6E02-4647-98D5-7B2C71BA1BA6}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe => No File
FirewallRules: [{FF52431F-683A-48E5-9A4F-68C4E6C7A844}] => (Allow) C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe => No File
FirewallRules: [{BAA9A59C-5DDF-438B-9C70-C2FB3E9433DC}] => (Allow) C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe => No File
FirewallRules: [{5E1C5ED4-2EB2-432C-9323-D1BF81CC5CBB}] => (Allow) C:\Users\morteza\AppData\Local\Programs\Opera\58.0.3135.79\opera.exe => No File
FirewallRules: [{7E021A8F-9EC5-4933-BFB6-F9622F27BED1}] => (Allow) C:\Users\morteza\AppData\Local\Programs\Opera\57.0.3098.91\opera.exe => No File
FirewallRules: [{BE30A4FE-6CC1-4338-87A6-4C535E74A69F}] => (Allow) C:\Users\morteza\AppData\Local\Temp\7ZipSfx.002\bin\tools\aria2c.exe => No File
C:\Program Files\Common Files\System\symsrv.dll

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

Link to comment
Share on other sites

On 10/18/2021 at 8:52 PM, ShadowPuterDude said:

I did the fix. My system is still infected and Emsisoft is unable to remove the malware.

Addition.txt

FRST.txt

scan_211020-210233.txt

CBS.zip

 

Link to comment
Share on other sites

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

HKU\S-1-5-21-370668094-1905685230-1647023283-1001\...\MountPoints2: {060fdf0b-1c90-11ec-9b4e-305a3a46fdf9} - "K:\Lenovo_Suite.exe" 
HKU\S-1-5-21-370668094-1905685230-1647023283-1001\...\MountPoints2: {4a711feb-2a79-11eb-9b19-305a3a46fdf9} - "K:\HiSuiteDownLoader.exe" 
HKU\S-1-5-21-370668094-1905685230-1647023283-1001\...\MountPoints2: {7ad54834-7674-11eb-9b22-305a3a46fdf9} - "K:\HiSuiteDownLoader.exe" 
HKU\S-1-5-21-370668094-1905685230-1647023283-1001\...\MountPoints2: {800233c9-ae2f-11eb-9b29-305a3a46fdf9} - "K:\HiSuiteDownLoader.exe" 
HKU\S-1-5-21-370668094-1905685230-1647023283-1001\...\MountPoints2: {84cfe617-703a-11eb-9b22-305a3a46fdf9} - "K:\HiSuiteDownLoader.exe" 
AppInit_DLLs-x32: C:\PROGRA~1\COMMON~1\System\symsrv.dll => C:\Program Files\Common Files\System\symsrv.dll [69337 2021-10-20] (Microsoft Corporation) [File not signed] <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
2021-10-14 20:19 - 2019-03-10 17:05 - 000000000 ___DC C:\Users\morteza\AppData\Local\56c836af4737331944af3bdaaffdbbe8
C:\Program Files\Common Files\System\symsrv.dll

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

Link to comment
Share on other sites

 

Copy the below code to NotepadSave As fixlist.txt to your Desktop.

2021-10-21 20:05 - 2021-10-21 20:05 - 000069337 _____ (Microsoft Corporation) [File not signed] C:\Program Files\Common Files\System\symsrv.dll
C:\Program Files\Common Files\System\symsrv.dll

 

Close Notepad.

 

NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

 

IMPORTANT: Save all of your work, as the next step may reboot your computer.

 

Run FRST and press the Fix button just once and wait.

 

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

 

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

 

NOTE: If the tool warns you about an outdated version please download and run the updated version.

 

Also, let me know how the machine is running now, and what remaining issues you've noticed.

Link to comment
Share on other sites

C:\Program Files\Common Files\System\symsrv.dll 	detected: Trojan.AgentWDCR.ERJ (B) [krnl.xmd]
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\msedgeupdate.dll 	detected: Win32.Floxif.A (B) [krnl.xmd]

Both of those files are Windows System files.  I can have FRST remove them and during the reboot process Windows File Protection will just restore the infected files.  The only way to fix the issue is to replace the files with clean copies of the file from a clean legitimate copy of Windows.

Link to comment
Share on other sites

42 minutes ago, ShadowPuterDude said:
C:\Program Files\Common Files\System\symsrv.dll 	detected: Trojan.AgentWDCR.ERJ (B) [krnl.xmd]
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\msedgeupdate.dll 	detected: Win32.Floxif.A (B) [krnl.xmd]

Both of those files are Windows System files.  I can have FRST remove them and during the reboot process Windows File Protection will just restore the infected files.  The only way to fix the issue is to replace the files with clean copies of the file from a clean legitimate copy of Windows.

Ok, how can I do that?

Link to comment
Share on other sites

The best option is to purchase a Windows 10 key and apply it to your system and then run Windows Update to bring the system up to date.  The situation you are experiencing is a good example of why you should not use activation cracks.  Especially KMSAuto, KMSSpico and others of that nature.  Most of these activation cracks install malware.

Link to comment
Share on other sites

Hello again

I did use ESET online scanner and it removed this malware completely. I found this suggestion in following link:

https://www.bleepingcomputer.com/forums/t/757540/my-computer-is-infected-with-symsrvdll/page-2#entry5247732

But, I have a question about Emsisoft protection:

My system was infected when I connected a smartphone to my computer (21/10/2021 07:00). Emsisoft was fully update when connected and all guards were active. Why didn't Emsisoft prevent system infection?!

I will attach the logs reports to you. Maybe you can tell me why my system is infected. thank you

Forensics_211028-123254.txt

Download Logs.zip:

https://file.io/buMTfamhvkI8

Link to comment
Share on other sites

The logs you uploaded to File.io and no longer available.  We do not scan devices connected to the system via a USB port automatically.

Your copy of Windows was cracked and used and activation bypass.  The crack that was used is know to be distributed with malware.  Once the system is compromised it is a trivial task to evade detection by an AV.

Link to comment
Share on other sites

logs.zip - Google Drive

Ok. thanks @ShadowPuterDude

Only to increase my knowledge and discuss more about Emsisoft:

1-Emsisoft has got a "self-protection" system, why should malware destroy to Emsisoft detection and protection system?

image.thumb.png.42ee11f1904cdcf954fb245cecee7251.png

2- What is the difference between ESET and Emsisoft in removing this malware? Eset automatically removed the malware, and Windows file protection did not restore this malware after reboot.

About cracked version of Microsoft Windows:
I serve my customers, and I can not enter their worldview. I also disagree with the cracked version, but we have to accept the millions of people use pirated Windows all around the world, it’s a fact. And in all honesty, it makes sense for them to do so. Especially in developing countries, where the price of a Windows license is equal to someone’s monthly salary.

Thanks for your attention.

Link to comment
Share on other sites

A major source of malware is software cracks.  For example roughly 50% of all ransomware infections is the STOP(DJVU) family of ransomware.  STOP is exclusively distributed via software cracks, the KMS activation bypass crack being the top infection method for STOP.

The Emsisoft Self-Protection module prevents malware from shutting down Emsisoft.  This does not prevent an attacker who has access to the system from shutting down Emsisoft.  The only way to prevent an attacker from shutting down Emsisoft after they gain access to the system is to set the Admin Password on Emsisoft.

We'd need to get some debug logs during the removal process, to troubleshot why Emsisoft and FRST could not remove the infection.  Often it is the fact that we could not gain permission over the files.  ESET Online gaining permission over the files may have more to do with that the full AV is never downloaded to your system, just the scanner, cleaning engine, and signatures are downloaded.  So, as far as the malware is concerned that is not an installed AV and is never registered on the system. It is also a process that the malware is not monitoring the system for.

  • Like 1
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...