Author Topic: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)  (Read 11888 times)

0 Members and 1 Guest are viewing this topic.

October 31, 2017, 12:05:02 am

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Hello,
 
we are having an unknown infection on 7 of 8 computers in our company.
 
I couldn't find much using various AV Programs and Tools.
 
Looked nearer at approximately 50 infected files with Adlice RK PE Viewer, let me see that the most of them are having sandboxes, anti-debugging scanner / debugging blocker and stuff like that to protect itself and hide of AV.
 
At least since beginning of this infection (last Thursday) concrete objects found by AV: (all PC together)
 
G DATA found 6 PSW-Tools and 3 OCS-Tools
ESET found 3 PSW-Tools
RogueKiller found 14 PUM's and 2 Rootkit IAT:Addr(Hook.IEAT)
 
The 8th computer was off and not hanging in the local Intranet by the time of the infection, so he stayed clean. We won't put him back in the network until the other PC are cleaned.
 
Concrete symptoms are: Some files are encrypted (new extensions like .crypt, .crypto, .crypted, .encrypted and so on which aren't possible to open), some files are just renamed or the extension was changed to another normal file type. Some files are damaged, which causes programs to hang often and crash. Some files are just edited shortly ago, which has no visible effect.
 
At least, some programs are completely not working anymore and on 3 PC's there is until now no ability to connect to the Internet.
 
In the hope, someone here can help me, I did scans with Farbar Recovery Scan Tool at the 7 infected PC's.
 

I hope someone here is able to help me with my problem!

PC Names:

 - PCSRV (Main PC)
 - PC01 (Secondary PC)
 - PC201701 ('DESKTOP-NO388OR') (Tertiary PC)
 - PC05 (Tertiary PC)
 - STUMPF-HP (Notebook)
 - NETBOOK (Notebook)
 - TVW-TC-1671 (Auxiliary PC)

 - STUMPF-PC (Notebook) (not affected of infection, so no Farbar Scan)
 - SMARTBOOK (Android tablet, only non-Windows business device) (not affected of infection)
 
Greetings Lobas
« Last Edit: November 01, 2017, 12:32:14 am by Lobas »

Reply #1October 31, 2017, 04:47:49 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2580
  • Reputation:
    97
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #1 on: October 31, 2017, 04:47:49 pm »
Hi Lobas,

Could you please attach G-DATA, ESET and RogueKiller reports of the first computer with your next reply ?
Please also attach some of the crypted files (at least one .crypt and one with a "normal" extension type file).

Do you know the following files ?
Code: [Select]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fehlerquellen beheben.bat - Verknüpfung.lnk [2017-10-25]
ShortcutTarget: Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Users\praxis\Kurzeinführung Fehlermanagement\Fehlerquellen beheben.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\login.bat - Verknüpfung.lnk [2017-08-02]
ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()

Regards.
« Last Edit: October 31, 2017, 04:50:27 pm by Curson »

Reply #2November 01, 2017, 12:29:02 am

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #2 on: November 01, 2017, 12:29:02 am »
Hi,
am I right with that you only want logs with catches or isn't that the point?

Yes if I find one I will, but it feels like them already getting fewer for no known reason.

Yes this files are batches I wrote myself to log on the computer on the Network drives and to automatically wipe out the most common sources of application errors in the company's main work program.

Reply #3November 01, 2017, 01:46:11 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2580
  • Reputation:
    97
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #3 on: November 01, 2017, 01:46:11 pm »
Hi Lobas,

Quote
am I right with that you only want logs with catches or isn't that the point?
Yes, you are perfectly right.

Quote
Yes if I find one I will, but it feels like them already getting fewer for no known reason.
Without an encrypted file, it will be difficult to accurately determine the type of the infection.
Was a ransom demand present with the encrypted files ?

Quote
Yes this files are batches I wrote myself to log on the computer[...]
Thanks for the confirmation.

Regards.

Reply #4November 01, 2017, 05:21:15 pm

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #4 on: November 01, 2017, 05:21:15 pm »
No, until now no demand was seen.

Attached are two logs of PCSRV I found: Smadav log from 25th October and ClamWinPortable (screenshot of catches) from 30th October.

EDIT: From ESET logs I can only partial screenshots give. Attached first 3 Logs of 26th/27th October.
« Last Edit: November 01, 2017, 06:19:43 pm by Lobas »

Reply #5November 01, 2017, 06:46:17 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2580
  • Reputation:
    97
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #5 on: November 01, 2017, 06:46:17 pm »
Hi Lobas,

Neither ClamAV nor EST did detect a ransomware.
At this point, I think that your files has been corrupted by something non-malware related, so there is little I can do to help you.

Regards.

Reply #6November 01, 2017, 09:58:24 pm

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #6 on: November 01, 2017, 09:58:24 pm »
Maybe Ransom-/Crypto-/Doxware plays a role in this, maybe a smaller one. But it's completely clear that a heavy malware infection is taking place.

For this I can give you more concrete facts.

I will try to deliver as much as possible of useful information.

Reply #7November 02, 2017, 05:48:56 am

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #7 on: November 02, 2017, 05:48:56 am »
First, please let's stay with the Farbar logs. Still looking mostly at PCSRV (also because the 5 holidays ago are now over and today normal business is starting again. PCSRV plays a central role for the proper work of the Network and all attached devices. Furthermore PCSRV is one of the PC's since beginning of infection has got no working Internet connection anymore. That's a big problem looking forward to normal work should be possible again.)

Under the given circumstances I am pleading at you, Curson, and surely any other person which may is able to provide any form of help, to please stay at this topic and try to help / find solutions / correct & complete my proposals for what to do next.

Please just stand by.

Thanks.

'I will start to ask concrete questions about Farbar and how to deal with it starting in the next post.'
« Last Edit: November 02, 2017, 05:50:40 am by Lobas »

Reply #8November 02, 2017, 06:04:40 am

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #8 on: November 02, 2017, 06:04:40 am »
Ok, let's start with PCSRV. It's disinfection is the most urgent.

Like said, please correct me if I'm thinking wrong, complete what I try to concern about and help me if I'm just asking questions against the background of limited knowledge! I would be very pleased if you could manage it to support me trying to get to the problem starting somewhere.  :)

Processes:

Is it right to do nothing at this point or should the following process maybe be kicked? Or are there potential signs of bad processes I completely not recognized?
Quote
- () C:\Windows\System32\igfxTray.exe



Registry:

I'm somewhat irritated of the following objects. Should they be deleted?
Quote

 - HKLM\...\Run: [bg-info] => [X]
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer: [DisallowRun] 1
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [2] powershell.exe
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe


At next, these objects should(!) all be legit, but why are they getting into that list? Also they would be not uncommon places for infection (Startup/Bootsectors, Shortcuts & .bat, .vbs & .exe files).
Should I still trust them, like I did until, (prophylactic) remove or just stay watching them?
Quote


Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fehlerquellen beheben.bat - Verknüpfung.lnk [2017-10-25]
ShortcutTarget: Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Users\praxis\Kurzeinführung Fehlermanagement\Fehlerquellen beheben.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\hevos.lnk [2017-08-08]
ShortcutTarget: hevos.lnk -> C:\Program Files (x86)\henova GmbH\hevos\Hevos.GUI.Client.exe (Henova GmbH)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\login.bat - Verknüpfung.lnk [2017-08-02]
ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NetScaler Gateway.lnk [2017-10-18]
ShortcutTarget: NetScaler Gateway.lnk -> C:\Program Files\Citrix\Secure Access Client\nsload.exe (Citrix Systems, Inc)
Startup: C:\Users\praxis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\An OneNote senden.lnk [2017-08-18]
ShortcutTarget: An OneNote senden.lnk -> C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)


Internet:


1st: Why the hell is the hosts file not in it's normal folder? How can something like that happen? A problem I never heard of before, but IMO, that looks alarming.

2nd: This object should be removed immediately, is that correct? I'm remembering stuff like DHCPNameServers as very dangerous.

Quote
Tcpip\..\Interfaces\{3AADAA47-6D23-471E-B154-362A0384390D}: [NameServer] 192.168.2.1

3rd: Browsers:

The following stuff hanging in IE, FF & Chrome.
It wouldn't be a mistake to wipe out this junk, would it?

Quote
Internet Explorer:
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp
 - BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-10-19] (Microsoft Corporation)
 - BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\URLREDIR.DLL [2017-10-19] (Microsoft Corporation)
 - BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\ssv.dll [2017-08-08] (Oracle Corporation)
 - BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\URLREDIR.DLL [2017-10-19] (Microsoft Corporation)
 - BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\jp2ssv.dll [2017-08-08] (Oracle Corporation)
 - Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
 - Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
 - Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
 - Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)

Mozilla Firefox:
 - FF DefaultProfile: 1u3d5r8x.default
 - FF ProfilePath: C:\Users\praxis\AppData\Roaming\Mozilla\Firefox\Profiles\1u3d5r8x.default [2017-10-26]
 - FF Plugin: @Citrix.com/npagee64,version=11.0.70.12 -> C:\Program Files\Citrix\Secure Access Client\npagee64.dll [2017-03-15] (Citrix Systems, Inc.)
 - FF Plugin-x32: @Citrix.com/npagee,version=11.0.70.12 -> C:\Program Files\Citrix\Secure Access Client\npagee.dll [2017-03-15] (Citrix Systems, Inc.)
 - FF Plugin-x32: @java.com/DTPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\dtplugin\npDeployJava1.dll [2017-08-08] (Oracle Corporation)
 - FF Plugin-x32: @java.com/JavaPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\plugin2\npjp2.dll [2017-08-08] (Oracle Corporation)
 - FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-10-19] (Microsoft Corporation)
 - FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
 - FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
 - FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-08-01] (Adobe Systems Inc.)
 - FF Plugin ProgramFiles/Appdata: C:\Users\praxis\AppData\Roaming\mozilla\plugins\npagee.dll [2017-03-15] (Citrix Systems, Inc.)
 - FF Plugin ProgramFiles/Appdata: C:\Users\praxis\AppData\Roaming\mozilla\plugins\npagee64.dll [2017-03-15] (Citrix Systems, Inc.)

Google Chrome:
 - CHR Profile: C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default [2017-10-26]
 - CHR Extension: (Präsentationen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-16]
 - CHR Extension: (Docs) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-16]
 - CHR Extension: (Google Drive) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-08-02]
 - CHR Extension: (YouTube) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-08-02]
 - CHR Extension: (Tabellen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-16]
 - CHR Extension: (Google Docs Offline) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-08-02]
 - CHR Extension: (Chrome Web Store-Zahlungen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-10-10]
 - CHR Extension: (Google Mail) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-08-02]
 - CHR Extension: (Chrome Media Router) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-10-10]

Quote
For the possibility that this thread is no longer viewed, I will open up a new one with more concrete description, type of help bidden for and more other Sysinfo including potential other (non-Farbar) logs. At first the two threads can, viewed from my point of action, a certain time co-exist. If the time comes a Mod wants to see everything in one, no problem, too. Just explaining why I am doing this.
« Last Edit: November 02, 2017, 07:55:22 am by Lobas »

Reply #9November 02, 2017, 02:10:17 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2580
  • Reputation:
    97
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #9 on: November 02, 2017, 02:10:17 pm »
Hi Lobas,

I'm still following your thread, but I'm not here all the time.
Here are the answers to your questions :

Process :
igfxTray.exe : This process is used to provide you quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets

Registry :
The registry values under the DisallowRun key forbid the launch of PowerShell, Background Intelligent Transfer Administration Service (BITS) and Microsoft HTML Application. These keys are usually set by the antiransomware module of some antivirus.

Startup :
Theses items are launched on system startup. You can trust them.

Internet :
1) FRST didn't found the hosts file on standard location but another section of the log show no issue.
2) No. It's your Internet gateway.

3rd: Browsers :
These are your browsers extensions, which are all legit.

Once again, there is nothing more I can do without a sample of an encrypted file.
Regards.

Reply #10November 02, 2017, 06:08:02 pm

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #10 on: November 02, 2017, 06:08:02 pm »
Hi,

ok..

In the case of the process I thought I have read anywhere, if no company's name stands in front, that would be a warning signal.

EDIT: Would it be possible, that this process got hijacked?

As with the registry there is then nothing to do, too. The Startup items are mostly trusted, but I was wondering about their appearance on the list.

EDIT: Ok, something better to leave alone. I'm trusting all of them, but from some of these items (below) I know how easy and how open they get infected.

Quote
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fehlerquellen beheben.bat - Verknüpfung.lnk [2017-10-25]
ShortcutTarget: Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Users\praxis\Kurzeinführung Fehlermanagement\Fehlerquellen beheben.bat ()
ShortcutTarget: hevos.lnk -> C:\Program Files (x86)\henova GmbH\hevos\Hevos.GUI.Client.exe (Henova GmbH)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\login.bat - Verknüpfung.lnk [2017-08-02]
ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NetScaler Gateway.lnk [2017-10-18]

In case of the hosts file I will just believe that from you, the NameServer, dumb mistake..

EDIT: You mean the host file entries? Yes, I cannot remember seeing them in the log of PCSRV. Nevertheless I didn't get why the hosts file is somewhere it doesn't belong?
Oh, ok then better not removing. :D


Yes, diverse browser extensions, but I took now a deeper look and things like Java or the Office plugins, yes makes sense, but is the rest not at least useless? Or take a nearer look of the first two elements in IE, hxxp?!

EDIT: Maybe I can deliver something like that, don't know if you can make use of it.


Ok so far:

As with drivers there is only this one suspicious:

Quote
S0 wjtvys; kein ImagePath

As with the 'Created' and 'Modified' Files/Folders 1st: Does it make sense to unhide the hidden system files?
And, is it right that an object should be checked if there's no company name and no attribute letter, especially when it's in the Windows folder?
That would match only for a few:

Quote
C:\Windows\DOCFEST.INI
C:\Users\Public\Desktop\ESET Sicheres Online-Banking und Bezahlen.lnk
C:\Users\praxis\Desktop\smadav.1log.txt
C:\Users\praxis\Downloads\Lisa (1).pdf
C:\Users\praxis\Downloads\Lisa.pdf
C:\Windows\system32\Drivers\etc\hosts.20171023-194230.backup
C:\Windows\system32\administration.bat
C:\Windows\system32\Fehlerquellen beheben.bat
C:\Windows\system32\close.bat
C:\Windows\system32\auxiliary.bat
C:\Windows\SysWOW64\uninst.exe

And them:

Quote
C:\Windows\ZAM.krnl.trace
C:\Windows\ZAM_Guard.krnl.trace
C:\Windows\system32\perfh007.dat
C:\Windows\system32\perfc007.dat
C:\Windows\system32\PerfStringBackup.INI
C:\Users\praxis\Desktop\Fehlerquellen beheben.bat - Verknüpfung.lnk
C:\Windows\system32\Drivers\TrueSight.sys
C:\Windows\system32\FNTCACHE.DAT
C:\Windows\SysWOW64\PerfStringBackup.INI
C:\Users\Public\Desktop\x.servicecenter.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\x.comfort Word-Assistent.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\comfort.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\medatixx Fernservice.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
C:\Users\Public\Desktop\Google Chrome.lnk

Or, if we substract user modified ones, this is what remains:

Quote
C:\Windows\DOCFEST.INI
C:\Windows\system32\Drivers\etc\hosts.20171023-194230.backup
C:\Windows\SysWOW64\uninst.exe
C:\Windows\ZAM.krnl.trace
C:\Windows\ZAM_Guard.krnl.trace
C:\Windows\system32\perfh007.dat
C:\Windows\system32\perfc007.dat
C:\Windows\system32\PerfStringBackup.INI
C:\Windows\system32\Drivers\TrueSight.sys
C:\Windows\system32\FNTCACHE.DAT
C:\Windows\SysWOW64\PerfStringBackup.INI

Then the section with Root Directory, which meaning does it have, when something is listed there?

Quote
2017-08-02 20:26 - 2017-08-02 20:26 - 000000779 _____ () C:\Users\praxis\AppData\Roaming\gdscan.log
2017-08-02 19:25 - 2017-08-02 19:25 - 000361646 _____ () C:\ProgramData\ds_update.log
2017-08-02 19:21 - 2017-08-02 19:21 - 000000132 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
2017-03-15 09:01 - 2017-03-15 09:01 - 000010272 _____ () C:\ProgramData\regid.2013-04.medatixx.de,softwareproduktion_85D1FE7C-C5B0-451C-9C29-234CAEA6DEBA.swidtag
2017-03-15 09:02 - 2017-03-15 09:02 - 000010268 _____ () C:\ProgramData\regid.2013-04.medatixx.de,softwareproduktion_DFCF6231-755B-44A8-87E4-A38B5FAFB29F.swidtag

I know the listed TEMP folder content does not have to be malware, but isn't it safer to delete this or do I have any advantage of it?

Quote
2017-10-23 17:43 - 2017-09-13 17:31 - 001732864 _____ (Microsoft Corporation) C:\Users\praxis\AppData\Local\Temp\dllnt_dump.dll
2017-08-08 11:20 - 2017-08-08 11:20 - 000271872 ____N (Kohsuke Kawaguchi) C:\Users\praxis\AppData\Local\Temp\native-helpler-4037951261073866670-com4j-x86.dll

And, at last, I didn't got it really what it have with the Bamital & Volsnap section on it..

Quote
==================== Bamital & volsnap ======================

(Es ist kein automatischer Fix für Dateien vorhanden, die an der Verifikation gescheitert sind.)

C:\Windows\system32\winlogon.exe => Datei ist digital signiert
C:\Windows\system32\wininit.exe => Datei ist digital signiert
C:\Windows\SysWOW64\wininit.exe => Datei ist digital signiert
C:\Windows\explorer.exe => Datei ist digital signiert
C:\Windows\SysWOW64\explorer.exe => Datei ist digital signiert
C:\Windows\system32\svchost.exe => Datei ist digital signiert
C:\Windows\SysWOW64\svchost.exe => Datei ist digital signiert
C:\Windows\system32\services.exe => Datei ist digital signiert
C:\Windows\system32\User32.dll => Datei ist digital signiert
C:\Windows\SysWOW64\User32.dll => Datei ist digital signiert
C:\Windows\system32\userinit.exe => Datei ist digital signiert
C:\Windows\SysWOW64\userinit.exe => Datei ist digital signiert
C:\Windows\system32\rpcss.dll => Datei ist digital signiert
C:\Windows\system32\dnsapi.dll => Datei ist digital signiert
C:\Windows\SysWOW64\dnsapi.dll => Datei ist digital signiert
C:\Windows\system32\Drivers\volsnap.sys => Datei ist digital signiert

I'm not really leaning wide out of the window saying that 'volsnap.sys' is kind of suspicious?
Also, the two 'dnsapi.dll' detections, I think I've seen them in an example log of Farbar in this section.
Or did all of them not passed verification?

Gets more and more complicated, but I still got more possibilities, the problem finally has to be somewhere.
« Last Edit: November 02, 2017, 07:52:30 pm by Lobas »

Reply #11November 02, 2017, 07:13:28 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2580
  • Reputation:
    97
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #11 on: November 02, 2017, 07:13:28 pm »
Hi Lobas,

Quote
In the case of the process I thought I have read anywhere, if no company's name stands in front, that would be a warning signal.
If the process do not have a company's name, it's indeed a warning. But this process is legit.

Quote
Yes, diverse browser extensions, but I took now a deeper look and things like Java or the Office plugins, yes makes sense, but is the rest not at least useless? Or take a nearer look of the first two elements in IE, hxxp?!
When installing such programs, they register browsers extensions, but they are indeed not really useful. Every http links in FRST reports is changed to hxxp for security reasons.

Quote
As with drivers there is only this one suspicious:
This is an old service where the actual executable file is missing, so nothing dangerous.
You can delete it with the following command from the command line :
Code: [Select]
sc config wjtvys start= disabled && sc delete wjtvys
Quote
As with the 'Created' and 'Modified' Files/Folders[...]
Using default config, FRST display the file created and modified during the last 30 days, on specific locations, with predefinied whitelist. Every files and folders listed on your report are legit.

Quote
I know the listed TEMP folder content does not have to be malware, but isn't it safer to delete this or do I have any advantage of it?
No, they are legit files. This won't change anything.

Quote
I'm not really leaning wide out of the window saying that 'volsnap.sys' is kind of suspicious?
Also, the two 'dnsapi.dll' detections, I think I've seen them in an example log of Farbar in this section.
Or did all of them not passed verification?
Files volsnap.sys and dnsapi.dll are part of the operating system. Since they are signed, they are legit.

Regards.

Reply #12November 09, 2017, 06:00:00 pm

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #12 on: November 09, 2017, 06:00:00 pm »
Hi,

sorry for my long absence. I had 4 Holidays at work now.


So am I right with the following compilation of things to do at PCSRV because of the Farbar Scan?


- Registry:

Quote
HKLM\...\Run: [bg-info] => [X]

(Delete) (?)

Quote
HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer: [DisallowRun] 1

When I remember right, this key can be set from malware, just like also from AV-Programs, but you thought this is ok, right? Or is this just required to make the following three keys work? (I mean the ones, you said they're set by anti-ransomware modules (I'm not asking again about their legitimity, my question is just about the one I put in above!))


 - Internet Explorer:


Quote
HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp

Removing, because they are just there to set not needed Default Start Pages and so are PUM's, right?


 - Mozilla Firefox:


Quote
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)

These are also PUM's, which aren't needed, right?


 - Drivers:


Quote
S0 wjtvys; kein ImagePath

(Delete, because broken, so no more advantage, ok?)



 - Created & Modified:


Quote
2017-10-11 09:23 - 2017-09-13 17:27 - 000006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 16:46 - 000006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 16:46 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 16:46 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 16:46 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2017-10-26 05:38 - 2009-07-14 06:45 - 000021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-10-26 05:38 - 2009-07-14 06:45 - 000021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-10-25 19:44 - 2017-08-02 17:30 - 000000000 __SHD C:\Users\praxis\IntelGraphicsProfiles
2017-10-25 19:40 - 2009-07-14 07:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-10-25 18:05 - 2017-08-02 22:26 - 000000000 __SHD C:\[Smad-Cage]

Just unhiding, I know, not necessary at least, but also nothing that can make damage, am I right so?

*Sorry if I'm asking so much questions, or a few more than one time, but with the following I wanna be completely sure*


Quote
2017-10-26 14:08 - 2017-10-26 14:08 - 000000030 _____ C:\Windows\DOCFEST.INI
2017-09-30 15:50 - 2017-07-03 16:10 - 000549281 _____ C:\Windows\SysWOW64\uninst.exe
2017-10-26 13:53 - 2017-08-03 02:59 - 000809226 _____ C:\Windows\system32\perfh007.dat
2017-10-26 13:53 - 2017-08-03 02:59 - 000185506 _____ C:\Windows\system32\perfc007.dat
2017-10-26 13:53 - 2009-07-14 07:13 - 001896188 _____ C:\Windows\system32\PerfStringBackup.INI
2017-10-23 17:46 - 2017-08-02 19:29 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-10-12 03:21 - 2009-07-14 06:45 - 000412120 _____ C:\Windows\system32\FNTCACHE.DAT
2017-10-12 03:02 - 2017-08-02 17:18 - 001869532 _____ C:\Windows\SysWOW64\PerfStringBackup.INI

I really, really don't have to worry about them, you're telling me? (I won't put them on fixlist, or fix somehow else, if you can say that there is not the smallest probability, of them being somehow suspicious!)

 - "Root Directorys", "TEMP folder" & "Bamital & Volsnap" sections:

As with the sections aforementioned, I still didn't get completely the reasons, but if your last word is, there is no need of doing anything, I will ignore it!


 - Installed Programs:



Quote
Berater (HKLM-x32\...\{72EB4F78-28CA-4813-BDCF-8062EFDEF34A}) (Version: 17.3.71 - I-Motion GmbH) Hidden
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Maxx Audio Installer (x64) (HKLM\...\{307032B2-6AF2-46D7-B933-62438DEB2B9A}) (Version: 1.6.5073.107 - Waves Audio Ltd.) Hidden
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.8528.2139 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.8528.2139 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.8528.2139 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0407-0000-0000000FF1CE}) (Version: 16.0.8326.2107 - Microsoft Corporation) Hidden
SQL Server 2012 Common Files (HKLM\...\{202AAF1F-69AA-442A-B59F-6B54B1AD07C6}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Common Files (HKLM\...\{53CDFF43-1CE7-444B-AEBE-A5FB7B82511D}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Services (HKLM\...\{18B2A97C-92C3-4AC7-BE72-F823E0BC895B}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Services (HKLM\...\{26F35006-0545-4F78-90D8-C2FDF0028692}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Shared (HKLM\...\{54FF8FAB-DE27-4187-82F1-EBAE6AEE869A}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Shared (HKLM\...\{D4DF6EA6-4B7A-42B4-9C56-D8BC7D087F7A}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Management Studio (HKLM\...\{A7037EB2-F953-4B12-B843-195F4D988DA1}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Management Studio (HKLM\...\{F9FDAEBA-9BFE-4FDD-BDEB-482A3F5316C8}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
Sql Server Customer Experience Improvement Program (HKLM\...\{BED1EA3D-592D-4305-9D1F-20F03726EFC1}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden

As with them just unhiding, (not absolutely necessary, but also not doing any wrong when performing this) Please correct, if I'm on the wrong path with that thinking.


 - Custom CLSID:


Quote
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> Keine Datei

Removing, because broken, so no more advantage out of it. Right?


 - Scheduled Tasks:


Quote
Task: {477C4964-5D79-416B-A20C-A2C8DF520A00} - System32\Tasks\{71F1B1EC-F67F-4DF0-A6D4-F7ACDA42E115} => C:\Windows\system32\pcalua.exe -a C:\Users\praxis\Downloads\jxpiinstall.exe -d C:\Users\praxis\Downloads
Task: {5D93A44C-B6FE-4A29-B04E-9BD2E0771ECC} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-09-29] ()
Task: {84801545-B73C-48CC-B5CD-B004A3B369D7} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-09-29] ()
Task: {8D86F910-78AD-4DEE-95D1-1903E0AE4966} - System32\Tasks\{3FEC2A17-5EBD-46F2-8729-92CDCBB03DAD} => C:\Windows\system32\pcalua.exe -a "C:\Users\praxis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M30V4LAH\JavaSetup8u144.exe" -d C:\Users\praxis\Desktop

Just asking if they're really ok, because they have no company affiliation listed. Won't do anything to them if you tell me they're nevertheless legit.


 - Shortcuts & WMI:


Quote
Shortcut: C:\Users\praxis\Desktop\Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Windows\System32\Fehlerquellen beheben.bat ()

Farbar tutorial says, in this section are only listed suspicious or hijacked Shortcuts, along with WMI Malware.
I know I've written them myself and you already asked because of this point, but one point I haven't mentioned before, >>on this PC are more than one copies of (primarily) identical Batch files and associated Shortcuts.<< So why just this exemplar is listed here? At the moment I would clearly remove it, especially because it's no big thing to regain it from an (supposedly) clean copy of the same. Or is it maybe so that Farbar marks it as suspicious because it is in the Windows\System32 folder, where it normally doesn't belong to? Against this possibility speaks that there are more such copies in System32, so I don't wanna offend you or doubt your knowledge, but without a plausible explanation how this got falsely into that list, I still have to believe there is something wrong.


 - Loaded Modules:


Quote
2017-07-06 10:27 - 2017-07-06 10:27 - 000515920 _____ () C:\Program Files (x86)\BackupAssist v10\NTFSTraverser.dll
2017-08-02 17:24 - 2015-09-23 10:25 - 000393320 _____ () C:\Windows\system32\igfxTray.exe
2017-08-02 19:05 - 2017-06-28 00:24 - 001434976 _____ () C:\doc2\prog\wprog\DOCWIN.dll
2017-08-02 19:05 - 2017-06-28 00:26 - 000099168 _____ () C:\doc2\prog\wprog\x.AltovaXML.dll
2017-08-02 19:05 - 2017-06-28 00:26 - 000108896 _____ () C:\doc2\prog\wprog\x.Altova.dll
2017-08-02 19:05 - 2017-06-27 22:50 - 005769216 _____ () C:\DOC2\PROG\WPROG\QtGui4.dll
2017-08-02 19:05 - 2017-06-27 22:49 - 001477632 _____ () C:\DOC2\PROG\WPROG\QtCore4.dll
2017-08-02 19:05 - 2017-06-28 00:27 - 000085344 _____ () C:\DOC2\PROG\WPROG\xPatientMessages.dll

Farbar tutorial says the listed ones here haven't passed Whitelisting. Should I be alarmed over this? All of them look trustworthy at first, but is Hijacking conceiveable here?


 - Internet Explorer Restricted Sites:

The restricted sites in IE, are they restricted for a special reason, or would it be ok to remove this attribute?


 - Other Areas:


Quote
HKU\S-1-5-21-3146790960-243109670-543054657-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\praxis\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

This one looks legit to me, right?     (Won't do anything)

Quote
DNS Servers: 192.168.2.1

Does not look like a hijacked DNS Server to me, or?     (Won't do anything) (checked with whois.domaintools.com, for example)

Quote
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)

This shows that UAC is not completely turned off, right? But it has to be turned off completely so business programs work properly. No matter how this change appeared, I'm going to correct that.

Windows Firewall is because of the same reason as with UAC disabled. This is how it should be.     (Won't do anything)

The Firewall rules mostly look ok to me, but could you please try to explain me the reason (and what they do) of the following?


Quote
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe

*I got over the maximum length, so I'm going to break up the post.*
« Last Edit: November 09, 2017, 11:45:07 pm by Lobas »

Reply #13November 09, 2017, 11:42:15 pm

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #13 on: November 09, 2017, 11:42:15 pm »
*I got over the maximum length, so I'm going to break up the post.*


As with Recovery Points there isn't a problem, at least my opinion, or is there one?


 - Application Errors:

There is one "Application Error (Source Application Error)", in this case there is nothing someone could do, right?


Quote
Error: (10/26/2017 09:38:48 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: ROUTINE.EXE, Version: 17.3712.38814.9, Zeitstempel: 0x5952d945
Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.23915, Zeitstempel: 0x59b94a16
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0002e927
ID des fehlerhaften Prozesses: 0x2070
Startzeit der fehlerhaften Anwendung: 0x01d34e2d0bf6ee75
Pfad der fehlerhaften Anwendung: C:\DOC2\PROG\WPROG\ROUTINE.EXE
Pfad des fehlerhaften Moduls: C:\Windows\SysWOW64\ntdll.dll
Berichtskennung: b3726f8b-ba20-11e7-ad7f-b083fe825cc6

Also there are 9 "Application Error (Source SideBySide)". Would it make sense to remove one of the components which are standing in conflict to eachother? And if yes, which one?

Just one example, instead of all:


Quote
Error: (10/26/2017 05:24:28 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.


- System Errors

About System Errors, there is nothing I could do, or? One example: (out of 10)


Quote
Error: (10/26/2017 04:36:00 PM) (Source: Disk) (EventID: 7) (User: )
Description: Fehlerhafter Block bei Gerät \Device\Harddisk1\DR1.

- CodeIntegrity

But here: Is there anything useful I could do about the CodeIntegrity Errors? Here one example out of 6:


Quote
Date: 2017-08-03 03:15:36.863
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume4\BackupAssist\Dasi\2017-05-31\C\Users\Praxis\AppData\Local\Mozilla\Firefox\Profiles\om96767o.default\cache2\entries\83D634E4804E1BCDDB9EA2FD836667365E09C75F" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.


My last question to this topic: If there are drives, marked with the word "Fixed", this is already done, right? So there is no more someone had to do?



*I got over the maximum length, so I'm going to break up the post.*

Questions about how to deal with and interpret RK PE Viewer results, I will put into an own post reply, just below.

Again, I'm sorry because I make so much circumstances and I hope you will help me with my problems still in the future, but also I would like to thank you at this point for all the help you gave until now!


Greetings so far


Lobas
« Last Edit: November 10, 2017, 12:02:40 am by Lobas »

Reply #14November 10, 2017, 12:01:03 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2580
  • Reputation:
    97
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #14 on: November 10, 2017, 12:01:03 am »
Hi Lobas,

Quote
HKLM\...\Run: [bg-info] => [X]          (Delete) (?)
This is an old entry, pointing to a deleted file. You can remove it if you want.

Quote
HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer: [DisallowRun] 1
[...]Or is this just required to make the following three keys work?[...]
That's it.

Quote
HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp
Removing, because they are just there to set not needed Default Start Pages and so are PUM's, right?
They are not PUM's. Microsoft.com and msn.com are legit sites.

Quote
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
These are also PUM's, which aren't needed, right?
This addon updates all Google software, it's not a PUP.

Quote
S0 wjtvys; kein ImagePath          (Delete, because broken, so no more advantage, ok?)
See my last answer.

Quote
- Created & Modified:[...]
Just unhiding, I know, not necessary at least, but also nothing that can make damage, am I right so?
These are legit files. You can unhide them, but it's not recommanded.

Quote
[...]I really, really don't have to worry about them, you telling me?
These are also legit files.

Quote
- Installed Programs:[...]
As with them just unhiding, (not absolutely necessary, but also not doing any wrong when performing this)
These are hidden by design.

Quote
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> Keine Datei
Removing, because broken, so no more advantage out of it. Right?
Yes, you can remove it.

Quote
- Scheduled Tasks:[...]
Just asking if they're really ok, because they have no company affiliation listed.[...]
They are all legit.

Quote
Shortcut: C:\Users\praxis\Desktop\Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Windows\System32\Fehlerquellen beheben.bat ()
Farbar tutorial says, in this section are only listed suspicious or hijacked Shortcuts, along with WMI Malware.[...]
FRST cannot known you write it yourself, so being in the system32 directory, it considers it suspicious.

Quote
- Loaded Modules:[...]
[...]All of them look trustworthy at first, but is Hijacking conceiveable here?
They are trustworthy.

Quote
- Internet Explorer Restricted Sites:[...]
The restricted sites in IE, are they restricted for a special reason, or would it be ok to remove this attribute?
These sites are malicious so the are indeed restricted for a special reason.

Quote
HKU\S-1-5-21-3146790960-243109670-543054657-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\praxis\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
This one looks legit to me, right?     (Won't do anything)
Right.

Quote
DNS Servers: 192.168.2.1
Does not look like a hijacked DNS Server to me, or?     (Won't do anything)
It's your Internet gateway.

Quote
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
These allow incoming traffic on TCP ports for Microsoft Software Protection Platform Service

Quote
As with Recovery Points there isn't a problem, at least my opinion, or is there one?
No, there is not.

Quote
There is one "Application Error (Source Application Error)", in this case there is nothing someone could do, right?
Also there are 9 "Application Error (SideBySide)". Would it make sense to remove one of the components which are standing in conflict to eachother?
No, these errors are caused by an issue in the manifest file on an application you use (C:\DOC2\PROG\WPROG). Please contact the publisher for a fix.

Quote
About System Errors, there is nothing I could do,
Description: Fehlerhafter Block bei Gerät \Device\Harddisk1\DR1.
Nothing to worry about, this is not your main drive.

Quote
- CodeIntegrity[...]
It's a warning about some drivers not being signed, nothing suspicious.

Quote
If there are drives, marked with the word "Fixed", this is already done, right? So there is no more someone had to do?
This means that they are not removal drives.

Quote
Questions about how to deal and interpret with RK PE Viewer results]
This is not being used in disinfection and require good PE knownledge.

Regards.