Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Lobas

Pages: [1] 2

Malware removal help / Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

« on: November 11, 2017, 09:46:39 PM »

Quote

Quote
- CodeIntegrity[...]

It's a warning about some drivers not being signed, nothing suspicious.

So I shall ignore this not digitally signed drivers?

So, at the moment I will switch to the other PC's and look on PCSRV again another time:

On the other PC's there seem to be more and partially also more urgent things to do.
So, at first, I'm going to concentrate on them

~ PC01:

- Regisry:

Quote

ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~$FO °LOST & FOUND°.rtf [2017-05-29] ()
BootExecute: autocheck autochk * Partizan

The first belongs to a group of files that are often infected by various malware.

The one in the middle, I don't know, if suspicious, maybe it's just such a copy generated in e.g. Local\AppData\Temp, I don't know

The last one belongs to the group of "Greatis Software/Partizan/UnHackMe" objects, which should clearly removed.

- Hosts File:

The hosts file contains some malicious entries. But later we will see more about this topic.

Quote

Hosts: Es ist mehr als ein Eintrag in der Hosts Datei zu finden. Siehe Hosts-Bereich in Addition.txt

Are in this case both of them OK?

Why are in this case two objects on that list?

And why are they here named "DHCPNameServer" instead of just "NameServer" at PCSRV?

And why I had a long time ago a RogueKiller recognition named also "DhcpNameServer"?

Quote

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{68856CE8-6189-4083-B4AB-7252F866F3FC}: [DhcpNameServer] 192.168.2.1

Quote

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Extension: (Avira SafeSearch Plus) - C:\Users\Stumpf\AppData\Roaming\Mozilla\Firefox\Profiles\xj2ez0p8.default\Extensions\safesearch@avira.com.xpi [2017-09-18]
FF Plugin: @microsoft.com/GENUINE -> disabled [Keine Datei]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [Keine Datei]
CHR Extension: (Avira Browserschutz) - C:\Users\Stumpf\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2017-06-19]
S3 Browser; C:\Windows\System32\browser.dll [136704 2012-07-05] (Microsoft Corporation) [Datei ist nicht signiert]
R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2013-09-25] (Brother Industries, Ltd.) [Datei ist nicht signiert]
R2 Schedule; C:\Windows\system32\schedsvc.dll [1110016 2015-08-05] (Microsoft Corporation) [Datei ist nicht signiert]
S4 AVKService; "C:\Program Files (x86)\G DATA\AntiVirus\AVK\AVKService.exe" [X]
S0 nmfmfx; kein ImagePath
S0 ovanvq; kein ImagePath
U0 Partizan; C:\Windows\SysWOW64\drivers\Partizan.sys [40304 2017-01-12] (Greatis Software)
U0 aswVmm; kein ImagePath
2017-01-16 19:26 - 2017-01-16 19:26 - 056816244 _____ () C:\Program Files (x86)\UnHackMe.rar
Dateien, die verschoben oder gelöscht werden sollten:
====================
C:\Users\Temp CON\install_flashplayer11x32_mssd_aih(1).exe
Amazon 1Button App (HKLM-x32\...\{4D875057-4353-4B8F-93E5-8C3DC7F34EA9}) (Version: 1.0.8 - Amazon) Hidden <==== ACHTUNG
ContextMenuHandlers1: [BitZipper32] -> {D5906221-A717-479B-9B49-CD848F9CE816} => -> Keine Datei
ContextMenuHandlers1: [BitZipper64] -> {9176020F-4A61-4F57-A133-258110EBC765} => -> Keine Datei
ContextMenuHandlers6: [BitZipper32] -> {D5906221-A717-479B-9B49-CD848F9CE816} => -> Keine Datei
ContextMenuHandlers6: [BitZipper64] -> {9176020F-4A61-4F57-A133-258110EBC765} => -> Keine Datei
Task: {AC5CFE36-BD49-4ECB-80FE-CC15B327D116} - \{D0BFC29C-0F57-453A-881A-7D38448ED39A} -> Keine Datei <==== ACHTUNG
Shortcut: C:\Users\Stumpf\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Eigene Websites auf MSN\target.lnk -> hxxp://de.msnusers.co

In Short:
- There are objects with no target, no matter what kind of objects they are.
- There are leftovers of Avira, which is uninstalled a long time ago. Avira Toolbars etc. are just annoying.
- There are missing digital signatures.
- There are Greatis Software/Partizan/UnHackMe objects which is uninstalled a long time ago, and it's leftovers should follow it.
- There are objects, Farbar itself warns of.
- There are objects Farbar instructs to delete.
- There is one Shortcut Farbar marks as suspicious.

*Post is still in work, will remove this line when I have last modified this post.*

Malware removal help / Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

« on: November 10, 2017, 08:24:13 PM »

*I'm going to get to the maximal length, because of this and for the better clarity I'm going to split the post*

with them: They are 9 not only the example I put in yesterday.

Quote

"Application Error (Source SideBySide)"

Quote

Error: (10/26/2017 05:24:28 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 01:18:22 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 07:54:46 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 04:54:24 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:34 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\ZUSATZ.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:34 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\ZIFRIS.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:32 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\VORGABE.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:29 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\STKMAIN.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:29 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\STAMMEN.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Wouldn't it here make sense to remove one of the conflicting components?
I wasn't really sure if your answer was for the "Application Error (Source Application Error)", or for the 9 "Application Errors (Source SideBySide)"
Should I here remove at each one component, or did you mean with this error I should better contact the support of the company the files

Quote

C:\doc2\prog\wprog\DOC.EXE
C:\DOC2\PROG\WPROG\ROUTINE.EXE
c:\doc2\prog\wprog\ZUSATZ.EXE
c:\doc2\prog\wprog\ZIFRIS.EXE
c:\doc2\prog\wprog\VORGABE.EXE
c:\doc2\prog\wprog\STKMAIN.EXE
c:\doc2\prog\wprog\STAMMEN.EXE

belong to a program they operate?

EDIT: I hope you can help me with my problem.

Regards Lobas

*Post is still in work, will remove this line when I have last modified this post.*

Malware removal help / Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

« on: November 10, 2017, 05:41:38 PM »

*I'm going to get to the maximal length, because of this and for the better clarity I'm going to split the post*

Hi,

I'm going to extend this post, but at the moment my only issue is:

Yesterday I made my first attempts with Fixlists for PCSRV.

The successes were mixed.

I will attach my Fixlogs. Just the CMD Fix you told me to do were functioning, this is also attached.

I hope you can help me with writing functioning Fixlists.

Quote

Quote
HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp

Removing, because they are just there to set not needed Default Start Pages and so are PUM's, right?

They are not PUM's. Microsoft.com and msn.com are legit sites.

Yes I kow these are legit sites, but Browser redirections, Default Start Pages and Default Search Scopes are things, my opinion is, they could be removed because I don't need them.

So, my opinion is removing them the next time, if the problem of the not already properly functioning Fixlists is fixed itself.

Quote

Quote
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)

These are also PUM's, which aren't needed, right?

This addon updates all Google software, it's not a PUP.

Yes, I also know, but are Google update Plugins really required in Firefox?

Quote

Quote
- Created & Modified:[...]

Just unhiding, I know, not necessary at least, but also nothing that can make damage, am I right so?

These are legit files. You can unhide them, but it's not recommanded.

Why it is not recommended? It won't make any damage and the security aspect is according to my opinion not mattering because I'm not going to make any damage to System components because I have sufficient knowledge for doing nothing into that direction.

Quote

Quote
- Installed Programs:[...]

As with them just unhiding, (not absolutely necessary, but also not doing any wrong when performing this)

These are hidden by design.

Yes, I know, but my opinion here is the same as with the hidden files & folders in the "Created & Modified" sections.

Quote

Quote
Shortcut: C:\Users\praxis\Desktop\Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Windows\System32\Fehlerquellen beheben.bat ()

Farbar tutorial says, in this section are only listed suspicious or hijacked Shortcuts, along with WMI Malware.[...]

FRST cannot known you write it yourself, so being in the system32 directory, it considers it suspicious.

Yes I know, but it is right that the only reason FRST marks it as suspicious, because of it being in the System32 folder?
In this case, I won't do anything, or is it useful to just replace it with a absolutely sure clean copy?

Quote

Quote
- Internet Explorer Restricted Sites:[...]

The restricted sites in IE, are they restricted for a special reason, or would it be ok to remove this attribute?

These sites are malicious so the are indeed restricted for a special reason.

So I will let them alone, if this 7936 sites are really malicious.

Quote

Quote
DNS Servers: 192.168.2.1

Does not look like a hijacked DNS Server to me, or? (Won't do anything)

It's your Internet gateway.

Yes but for example, I checked it with whois.domaintools.com, and found no hints for an Hijacking of this DNS Server.
I also did the same with:

Quote

Tcpip\..\Interfaces\{3AADAA47-6D23-471E-B154-362A0384390D}: [NameServer] 192.168.2.1

Quote

There is one "Application Error (Source Application Error)", in this case there is nothing someone could do, right?

Also there are 9 "Application Error (SideBySide)". Would it make sense to remove one of the components which are standing in conflict to eachother?

No, these errors are caused by an issue in the manifest file on an application you use (C:\DOC2\PROG\WPROG). Please contact the publisher for a fix.

Yes with the

Quote

"Application Error (Source Application Error)"

, this one:

Quote

Error: (10/26/2017 09:38:48 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: ROUTINE.EXE, Version: 17.3712.38814.9, Zeitstempel: 0x5952d945
Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.23915, Zeitstempel: 0x59b94a16
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0002e927
ID des fehlerhaften Prozesses: 0x2070
Startzeit der fehlerhaften Anwendung: 0x01d34e2d0bf6ee75
Pfad der fehlerhaften Anwendung: C:\DOC2\PROG\WPROG\ROUTINE.EXE
Pfad des fehlerhaften Moduls: C:\Windows\SysWOW64\ntdll.dll
Berichtskennung: b3726f8b-ba20-11e7-ad7f-b083fe825cc6

There is nothing I can do about, but

EDIT: I hope you can help me with my problem.

Regards Lobas

*I'm going to get to the maximal length, because of this and for the better clarity I'm going to split the post*

Malware removal help / Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

« on: November 10, 2017, 12:06:58 AM »

Hi, just got ready with the last modifications of my post, when I saw you already replied!

Thank you so far, at first I'm going to organize all this information and make a plan for me what to do next.

If there are questions or I will proceed with the PE Viewer results I will write again.

Thanks & Greetings

Malware removal help / Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

« on: November 09, 2017, 11:42:15 PM »

*I got over the maximum length, so I'm going to break up the post.*

As with Recovery Points there isn't a problem, at least my opinion, or is there one?

- Application Errors:

There is one "Application Error (Source Application Error)", in this case there is nothing someone could do, right?

Quote

Error: (10/26/2017 09:38:48 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: ROUTINE.EXE, Version: 17.3712.38814.9, Zeitstempel: 0x5952d945
Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.23915, Zeitstempel: 0x59b94a16
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0002e927
ID des fehlerhaften Prozesses: 0x2070
Startzeit der fehlerhaften Anwendung: 0x01d34e2d0bf6ee75
Pfad der fehlerhaften Anwendung: C:\DOC2\PROG\WPROG\ROUTINE.EXE
Pfad des fehlerhaften Moduls: C:\Windows\SysWOW64\ntdll.dll
Berichtskennung: b3726f8b-ba20-11e7-ad7f-b083fe825cc6

Also there are 9 "Application Error (Source SideBySide)". Would it make sense to remove one of the components which are standing in conflict to eachother? And if yes, which one?

Just one example, instead of all:

Quote

Error: (10/26/2017 05:24:28 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

- System Errors

About System Errors, there is nothing I could do, or? One example: (out of 10)

Quote

Error: (10/26/2017 04:36:00 PM) (Source: Disk) (EventID: 7) (User: )
Description: Fehlerhafter Block bei Gerät \Device\Harddisk1\DR1.

- CodeIntegrity

But here: Is there anything useful I could do about the CodeIntegrity Errors? Here one example out of 6:

Quote

Date: 2017-08-03 03:15:36.863
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume4\BackupAssist\Dasi\2017-05-31\C\Users\Praxis\AppData\Local\Mozilla\Firefox\Profiles\om96767o.default\cache2\entries\83D634E4804E1BCDDB9EA2FD836667365E09C75F" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

My last question to this topic: If there are drives, marked with the word "Fixed", this is already done, right? So there is no more someone had to do?

*I got over the maximum length, so I'm going to break up the post.*

Questions about how to deal with and interpret RK PE Viewer results, I will put into an own post reply, just below.

Again, I'm sorry because I make so much circumstances and I hope you will help me with my problems still in the future, but also I would like to thank you at this point for all the help you gave until now!

Greetings so far

Lobas

Malware removal help / Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

« on: November 09, 2017, 06:00:00 PM »

Hi,

sorry for my long absence. I had 4 Holidays at work now.

So am I right with the following compilation of things to do at PCSRV because of the Farbar Scan?

- Registry:

Quote

HKLM\...\Run: [bg-info] => [X]

(Delete) (?)

Quote

HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer: [DisallowRun] 1

When I remember right, this key can be set from malware, just like also from AV-Programs, but you thought this is ok, right? Or is this just required to make the following three keys work? (I mean the ones, you said they're set by anti-ransomware modules (I'm not asking again about their legitimity, my question is just about the one I put in above!))

- Internet Explorer:

Quote

HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp

Removing, because they are just there to set not needed Default Start Pages and so are PUM's, right?

- Mozilla Firefox:

Quote

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)

These are also PUM's, which aren't needed, right?

- Drivers:

Quote

S0 wjtvys; kein ImagePath

(Delete, because broken, so no more advantage, ok?)

- Created & Modified:

Quote

2017-10-11 09:23 - 2017-09-13 17:27 - 000006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:27 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 17:08 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 16:46 - 000006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 16:46 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 16:46 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2017-10-11 09:23 - 2017-09-13 16:46 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2017-10-26 05:38 - 2009-07-14 06:45 - 000021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-10-26 05:38 - 2009-07-14 06:45 - 000021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-10-25 19:44 - 2017-08-02 17:30 - 000000000 __SHD C:\Users\praxis\IntelGraphicsProfiles
2017-10-25 19:40 - 2009-07-14 07:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-10-25 18:05 - 2017-08-02 22:26 - 000000000 __SHD C:\[Smad-Cage]

Just unhiding, I know, not necessary at least, but also nothing that can make damage, am I right so?

*Sorry if I'm asking so much questions, or a few more than one time, but with the following I wanna be completely sure*

Quote

2017-10-26 14:08 - 2017-10-26 14:08 - 000000030 _____ C:\Windows\DOCFEST.INI
2017-09-30 15:50 - 2017-07-03 16:10 - 000549281 _____ C:\Windows\SysWOW64\uninst.exe
2017-10-26 13:53 - 2017-08-03 02:59 - 000809226 _____ C:\Windows\system32\perfh007.dat
2017-10-26 13:53 - 2017-08-03 02:59 - 000185506 _____ C:\Windows\system32\perfc007.dat
2017-10-26 13:53 - 2009-07-14 07:13 - 001896188 _____ C:\Windows\system32\PerfStringBackup.INI
2017-10-23 17:46 - 2017-08-02 19:29 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-10-12 03:21 - 2009-07-14 06:45 - 000412120 _____ C:\Windows\system32\FNTCACHE.DAT
2017-10-12 03:02 - 2017-08-02 17:18 - 001869532 _____ C:\Windows\SysWOW64\PerfStringBackup.INI

I really, really don't have to worry about them, you're telling me? (I won't put them on fixlist, or fix somehow else, if you can say that there is not the smallest probability, of them being somehow suspicious!)

- "Root Directorys", "TEMP folder" & "Bamital & Volsnap" sections:

As with the sections aforementioned, I still didn't get completely the reasons, but if your last word is, there is no need of doing anything, I will ignore it!

- Installed Programs:

Quote

Berater (HKLM-x32\...\{72EB4F78-28CA-4813-BDCF-8062EFDEF34A}) (Version: 17.3.71 - I-Motion GmbH) Hidden
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Maxx Audio Installer (x64) (HKLM\...\{307032B2-6AF2-46D7-B933-62438DEB2B9A}) (Version: 1.6.5073.107 - Waves Audio Ltd.) Hidden
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.8528.2139 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.8528.2139 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.8528.2139 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0407-0000-0000000FF1CE}) (Version: 16.0.8326.2107 - Microsoft Corporation) Hidden
SQL Server 2012 Common Files (HKLM\...\{202AAF1F-69AA-442A-B59F-6B54B1AD07C6}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Common Files (HKLM\...\{53CDFF43-1CE7-444B-AEBE-A5FB7B82511D}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Services (HKLM\...\{18B2A97C-92C3-4AC7-BE72-F823E0BC895B}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Services (HKLM\...\{26F35006-0545-4F78-90D8-C2FDF0028692}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Shared (HKLM\...\{54FF8FAB-DE27-4187-82F1-EBAE6AEE869A}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Shared (HKLM\...\{D4DF6EA6-4B7A-42B4-9C56-D8BC7D087F7A}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Management Studio (HKLM\...\{A7037EB2-F953-4B12-B843-195F4D988DA1}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Management Studio (HKLM\...\{F9FDAEBA-9BFE-4FDD-BDEB-482A3F5316C8}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
Sql Server Customer Experience Improvement Program (HKLM\...\{BED1EA3D-592D-4305-9D1F-20F03726EFC1}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden

As with them just unhiding, (not absolutely necessary, but also not doing any wrong when performing this) Please correct, if I'm on the wrong path with that thinking.

- Custom CLSID:

Quote

ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> Keine Datei

Removing, because broken, so no more advantage out of it. Right?

- Scheduled Tasks:

Quote

Task: {477C4964-5D79-416B-A20C-A2C8DF520A00} - System32\Tasks\{71F1B1EC-F67F-4DF0-A6D4-F7ACDA42E115} => C:\Windows\system32\pcalua.exe -a C:\Users\praxis\Downloads\jxpiinstall.exe -d C:\Users\praxis\Downloads
Task: {5D93A44C-B6FE-4A29-B04E-9BD2E0771ECC} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-09-29] ()
Task: {84801545-B73C-48CC-B5CD-B004A3B369D7} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-09-29] ()
Task: {8D86F910-78AD-4DEE-95D1-1903E0AE4966} - System32\Tasks\{3FEC2A17-5EBD-46F2-8729-92CDCBB03DAD} => C:\Windows\system32\pcalua.exe -a "C:\Users\praxis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M30V4LAH\JavaSetup8u144.exe" -d C:\Users\praxis\Desktop

Just asking if they're really ok, because they have no company affiliation listed. Won't do anything to them if you tell me they're nevertheless legit.

- Shortcuts & WMI:

Quote

Shortcut: C:\Users\praxis\Desktop\Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Windows\System32\Fehlerquellen beheben.bat ()

Farbar tutorial says, in this section are only listed suspicious or hijacked Shortcuts, along with WMI Malware.
I know I've written them myself and you already asked because of this point, but one point I haven't mentioned before, >>on this PC are more than one copies of (primarily) identical Batch files and associated Shortcuts.<< So why just this exemplar is listed here? At the moment I would clearly remove it, especially because it's no big thing to regain it from an (supposedly) clean copy of the same. Or is it maybe so that Farbar marks it as suspicious because it is in the Windows\System32 folder, where it normally doesn't belong to? Against this possibility speaks that there are more such copies in System32, so I don't wanna offend you or doubt your knowledge, but without a plausible explanation how this got falsely into that list, I still have to believe there is something wrong.

- Loaded Modules:

Quote

2017-07-06 10:27 - 2017-07-06 10:27 - 000515920 _____ () C:\Program Files (x86)\BackupAssist v10\NTFSTraverser.dll
2017-08-02 17:24 - 2015-09-23 10:25 - 000393320 _____ () C:\Windows\system32\igfxTray.exe
2017-08-02 19:05 - 2017-06-28 00:24 - 001434976 _____ () C:\doc2\prog\wprog\DOCWIN.dll
2017-08-02 19:05 - 2017-06-28 00:26 - 000099168 _____ () C:\doc2\prog\wprog\x.AltovaXML.dll
2017-08-02 19:05 - 2017-06-28 00:26 - 000108896 _____ () C:\doc2\prog\wprog\x.Altova.dll
2017-08-02 19:05 - 2017-06-27 22:50 - 005769216 _____ () C:\DOC2\PROG\WPROG\QtGui4.dll
2017-08-02 19:05 - 2017-06-27 22:49 - 001477632 _____ () C:\DOC2\PROG\WPROG\QtCore4.dll
2017-08-02 19:05 - 2017-06-28 00:27 - 000085344 _____ () C:\DOC2\PROG\WPROG\xPatientMessages.dll

Farbar tutorial says the listed ones here haven't passed Whitelisting. Should I be alarmed over this? All of them look trustworthy at first, but is Hijacking conceiveable here?

- Internet Explorer Restricted Sites:

The restricted sites in IE, are they restricted for a special reason, or would it be ok to remove this attribute?

- Other Areas:

Quote

HKU\S-1-5-21-3146790960-243109670-543054657-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\praxis\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

This one looks legit to me, right? (Won't do anything)

Quote

DNS Servers: 192.168.2.1

Does not look like a hijacked DNS Server to me, or? (Won't do anything) (checked with whois.domaintools.com, for example)

Quote

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)

This shows that UAC is not completely turned off, right? But it has to be turned off completely so business programs work properly. No matter how this change appeared, I'm going to correct that.

Windows Firewall is because of the same reason as with UAC disabled. This is how it should be. (Won't do anything)

The Firewall rules mostly look ok to me, but could you please try to explain me the reason (and what they do) of the following?

Quote

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe

*I got over the maximum length, so I'm going to break up the post.*

Malware removal help / Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

« on: November 02, 2017, 06:08:02 PM »

Hi,

ok..

In the case of the process I thought I have read anywhere, if no company's name stands in front, that would be a warning signal.

EDIT: Would it be possible, that this process got hijacked?

As with the registry there is then nothing to do, too. The Startup items are mostly trusted, but I was wondering about their appearance on the list.

EDIT: Ok, something better to leave alone. I'm trusting all of them, but from some of these items (below) I know how easy and how open they get infected.

Quote

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fehlerquellen beheben.bat - Verknüpfung.lnk [2017-10-25]
ShortcutTarget: Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Users\praxis\Kurzeinführung Fehlermanagement\Fehlerquellen beheben.bat ()
ShortcutTarget: hevos.lnk -> C:\Program Files (x86)\henova GmbH\hevos\Hevos.GUI.Client.exe (Henova GmbH)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\login.bat - Verknüpfung.lnk [2017-08-02]
ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NetScaler Gateway.lnk [2017-10-18]

In case of the hosts file I will just believe that from you, the NameServer, dumb mistake..

EDIT: You mean the host file entries? Yes, I cannot remember seeing them in the log of PCSRV. Nevertheless I didn't get why the hosts file is somewhere it doesn't belong?
Oh, ok then better not removing.

Yes, diverse browser extensions, but I took now a deeper look and things like Java or the Office plugins, yes makes sense, but is the rest not at least useless? Or take a nearer look of the first two elements in IE, hxxp?!

EDIT: Maybe I can deliver something like that, don't know if you can make use of it.

Ok so far:

As with drivers there is only this one suspicious:

Quote

S0 wjtvys; kein ImagePath

As with the 'Created' and 'Modified' Files/Folders 1st: Does it make sense to unhide the hidden system files?
And, is it right that an object should be checked if there's no company name and no attribute letter, especially when it's in the Windows folder?
That would match only for a few:

Quote

C:\Windows\DOCFEST.INI
C:\Users\Public\Desktop\ESET Sicheres Online-Banking und Bezahlen.lnk
C:\Users\praxis\Desktop\smadav.1log.txt
C:\Users\praxis\Downloads\Lisa (1).pdf
C:\Users\praxis\Downloads\Lisa.pdf
C:\Windows\system32\Drivers\etc\hosts.20171023-194230.backup
C:\Windows\system32\administration.bat
C:\Windows\system32\Fehlerquellen beheben.bat
C:\Windows\system32\close.bat
C:\Windows\system32\auxiliary.bat
C:\Windows\SysWOW64\uninst.exe

And them:

Quote

C:\Windows\ZAM.krnl.trace
C:\Windows\ZAM_Guard.krnl.trace
C:\Windows\system32\perfh007.dat
C:\Windows\system32\perfc007.dat
C:\Windows\system32\PerfStringBackup.INI
C:\Users\praxis\Desktop\Fehlerquellen beheben.bat - Verknüpfung.lnk
C:\Windows\system32\Drivers\TrueSight.sys
C:\Windows\system32\FNTCACHE.DAT
C:\Windows\SysWOW64\PerfStringBackup.INI
C:\Users\Public\Desktop\x.servicecenter.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\x.comfort Word-Assistent.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\comfort.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\medatixx Fernservice.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
C:\Users\Public\Desktop\Google Chrome.lnk

Or, if we substract user modified ones, this is what remains:

Quote

C:\Windows\DOCFEST.INI
C:\Windows\system32\Drivers\etc\hosts.20171023-194230.backup
C:\Windows\SysWOW64\uninst.exe
C:\Windows\ZAM.krnl.trace
C:\Windows\ZAM_Guard.krnl.trace
C:\Windows\system32\perfh007.dat
C:\Windows\system32\perfc007.dat
C:\Windows\system32\PerfStringBackup.INI
C:\Windows\system32\Drivers\TrueSight.sys
C:\Windows\system32\FNTCACHE.DAT
C:\Windows\SysWOW64\PerfStringBackup.INI

Then the section with Root Directory, which meaning does it have, when something is listed there?

Quote

2017-08-02 20:26 - 2017-08-02 20:26 - 000000779 _____ () C:\Users\praxis\AppData\Roaming\gdscan.log
2017-08-02 19:25 - 2017-08-02 19:25 - 000361646 _____ () C:\ProgramData\ds_update.log
2017-08-02 19:21 - 2017-08-02 19:21 - 000000132 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
2017-03-15 09:01 - 2017-03-15 09:01 - 000010272 _____ () C:\ProgramData\regid.2013-04.medatixx.de,softwareproduktion_85D1FE7C-C5B0-451C-9C29-234CAEA6DEBA.swidtag
2017-03-15 09:02 - 2017-03-15 09:02 - 000010268 _____ () C:\ProgramData\regid.2013-04.medatixx.de,softwareproduktion_DFCF6231-755B-44A8-87E4-A38B5FAFB29F.swidtag

I know the listed TEMP folder content does not have to be malware, but isn't it safer to delete this or do I have any advantage of it?

Quote

2017-10-23 17:43 - 2017-09-13 17:31 - 001732864 _____ (Microsoft Corporation) C:\Users\praxis\AppData\Local\Temp\dllnt_dump.dll
2017-08-08 11:20 - 2017-08-08 11:20 - 000271872 ____N (Kohsuke Kawaguchi) C:\Users\praxis\AppData\Local\Temp\native-helpler-4037951261073866670-com4j-x86.dll

And, at last, I didn't got it really what it have with the Bamital & Volsnap section on it..

Quote

==================== Bamital & volsnap ======================

(Es ist kein automatischer Fix für Dateien vorhanden, die an der Verifikation gescheitert sind.)

C:\Windows\system32\winlogon.exe => Datei ist digital signiert
C:\Windows\system32\wininit.exe => Datei ist digital signiert
C:\Windows\SysWOW64\wininit.exe => Datei ist digital signiert
C:\Windows\explorer.exe => Datei ist digital signiert
C:\Windows\SysWOW64\explorer.exe => Datei ist digital signiert
C:\Windows\system32\svchost.exe => Datei ist digital signiert
C:\Windows\SysWOW64\svchost.exe => Datei ist digital signiert
C:\Windows\system32\services.exe => Datei ist digital signiert
C:\Windows\system32\User32.dll => Datei ist digital signiert
C:\Windows\SysWOW64\User32.dll => Datei ist digital signiert
C:\Windows\system32\userinit.exe => Datei ist digital signiert
C:\Windows\SysWOW64\userinit.exe => Datei ist digital signiert
C:\Windows\system32\rpcss.dll => Datei ist digital signiert
C:\Windows\system32\dnsapi.dll => Datei ist digital signiert
C:\Windows\SysWOW64\dnsapi.dll => Datei ist digital signiert
C:\Windows\system32\Drivers\volsnap.sys => Datei ist digital signiert

I'm not really leaning wide out of the window saying that 'volsnap.sys' is kind of suspicious?
Also, the two 'dnsapi.dll' detections, I think I've seen them in an example log of Farbar in this section.
Or did all of them not passed verification?

Gets more and more complicated, but I still got more possibilities, the problem finally has to be somewhere.

Malware removal help / Re: Heavy Infection (many hints, no clear statement can be done) (Please stay+read!)

« on: November 02, 2017, 08:01:23 AM »

Ok, let's start with PCSRV. It's disinfection is the most urgent.

Like said, please correct me if I'm thinking wrong, complete what I try to concern about and help me if I'm just asking questions against the background of limited knowledge! I would be very pleased if you could manage it to support me trying to get to the problem starting somewhere.

Processes:

Is it right to do nothing at this point or should the following process maybe be kicked? Or are there potential signs of bad processes I completely not recognized?

Quote

- () C:\Windows\System32\igfxTray.exe

Registry:

I'm somewhat irritated of the following objects. Should they be deleted?

Quote

- HKLM\...\Run: [bg-info] => [X]
- HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer: [DisallowRun] 1
- HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
- HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [2] powershell.exe
- HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe

At next, these objects should(!) all be legit, but why are they getting into that list? Also they would be not uncommon places for infection (Startup/Bootsectors, Shortcuts & .bat, .vbs & .exe files).
Should I still trust them, like I did until, (prophylactic) remove or just stay watching them?

Quote

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fehlerquellen beheben.bat - Verknüpfung.lnk [2017-10-25]
ShortcutTarget: Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Users\praxis\Kurzeinführung Fehlermanagement\Fehlerquellen beheben.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\hevos.lnk [2017-08-08]
ShortcutTarget: hevos.lnk -> C:\Program Files (x86)\henova GmbH\hevos\Hevos.GUI.Client.exe (Henova GmbH)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\login.bat - Verknüpfung.lnk [2017-08-02]
ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NetScaler Gateway.lnk [2017-10-18]
ShortcutTarget: NetScaler Gateway.lnk -> C:\Program Files\Citrix\Secure Access Client\nsload.exe (Citrix Systems, Inc)
Startup: C:\Users\praxis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\An OneNote senden.lnk [2017-08-18]
ShortcutTarget: An OneNote senden.lnk -> C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)

Internet:

1st: Why the hell is the hosts file not in it's normal folder? How can something like that happen? A problem I never heard of before, but IMO, that sounds alarming.

2nd: This object should be removed immediately, is that correct? I'm remembering stuff like DHCPNameServers as very dangerous.

Quote

Tcpip\..\Interfaces\{3AADAA47-6D23-471E-B154-362A0384390D}: [NameServer] 192.168.2.1

3rd: Browsers:

The following stuff hanging in IE, FF & Chrome.
It wouldn't be a mistake to wipe out this junk, would it?

Quote

Internet Explorer:
- HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
- HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp
- BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-10-19] (Microsoft Corporation)
- BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\URLREDIR.DLL [2017-10-19] (Microsoft Corporation)
- BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\ssv.dll [2017-08-08] (Oracle Corporation)
- BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\URLREDIR.DLL [2017-10-19] (Microsoft Corporation)
- BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\jp2ssv.dll [2017-08-08] (Oracle Corporation)
- Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
- Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
- Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
- Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)

Mozilla Firefox:
- FF DefaultProfile: 1u3d5r8x.default
- FF ProfilePath: C:\Users\praxis\AppData\Roaming\Mozilla\Firefox\Profiles\1u3d5r8x.default [2017-10-26]
- FF Plugin: @Citrix.com/npagee64,version=11.0.70.12 -> C:\Program Files\Citrix\Secure Access Client\npagee64.dll [2017-03-15] (Citrix Systems, Inc.)
- FF Plugin-x32: @Citrix.com/npagee,version=11.0.70.12 -> C:\Program Files\Citrix\Secure Access Client\npagee.dll [2017-03-15] (Citrix Systems, Inc.)
- FF Plugin-x32: @java.com/DTPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\dtplugin\npDeployJava1.dll [2017-08-08] (Oracle Corporation)
- FF Plugin-x32: @java.com/JavaPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\plugin2\npjp2.dll [2017-08-08] (Oracle Corporation)
- FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-10-19] (Microsoft Corporation)
- FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
- FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
- FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-08-01] (Adobe Systems Inc.)
- FF Plugin ProgramFiles/Appdata: C:\Users\praxis\AppData\Roaming\mozilla\plugins\npagee.dll [2017-03-15] (Citrix Systems, Inc.)
- FF Plugin ProgramFiles/Appdata: C:\Users\praxis\AppData\Roaming\mozilla\plugins\npagee64.dll [2017-03-15] (Citrix Systems, Inc.)

Google Chrome:
- CHR Profile: C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default [2017-10-26]
- CHR Extension: (Präsentationen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-16]
- CHR Extension: (Docs) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-16]
- CHR Extension: (Google Drive) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-08-02]
- CHR Extension: (YouTube) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-08-02]
- CHR Extension: (Tabellen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-16]
- CHR Extension: (Google Docs Offline) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-08-02]
- CHR Extension: (Chrome Web Store-Zahlungen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-10-10]
- CHR Extension: (Google Mail) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-08-02]
- CHR Extension: (Chrome Media Router) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-10-10]

Quote

For the possibility that this thread is no longer viewed, I will open up a new one with more concrete description, type of help bidden for and more other Sysinfo including potential other (non-Farbar) logs. At first the two threads can, viewed from my point of action, a certain time co-exist. If the time comes a Mod wants to see everything in one, no problem, too. Just explaining why I am doing this.

Malware removal help / Heavy Infection (many hints, no clear statement can be done) (Please stay+read!)

« on: November 02, 2017, 07:17:46 AM »

Quote

The relevant information comes in the first reply, here an general overview!

Here, very short, is still the explanation. Finally, I have to put it SOMEWHERE!

Quote

For the possibility that this thread is no longer viewed, I will open up a new one with more concrete description, type of help bidden for and more other Sysinfo including potential other (non-Farbar) logs. At first the two threads can, viewed from my point of action, a certain time co-exist. If the time comes a Mod wants to see everything in one, no problem, too. Just explaining why I am doing this.

Hello,

I'm Lobas and I've got a heavy problem. Just here I'm looking for help already since a while. Everything linked to the topic I will put here for better clarity, too.

There is also an explanation why a new post now.

This was the first query of me.

Quote

Hello,

we are having an unknown infection on 7 of 8 computers in our company.

I couldn't find much using various AV Programs and Tools.

Looked nearer at approximately 50 infected files with Adlice RK PE Viewer, let me see that the most of them are having sandboxes, anti-debugging scanner / debugging blocker and stuff like that to protect itself and hide of AV.

At least since beginning of this infection (last Thursday) concrete objects found by AV: (all PC together)

G DATA found 6 PSW-Tools and 3 OCS-Tools
ESET found 3 PSW-Tools
RogueKiller found 14 PUM's and 2 Rootkit IAT:Addr(Hook.IEAT)

The 8th computer was off and not hanging in the local Intranet by the time of the infection, so he stayed clean. We won't put him back in the network until the other PC are cleaned.

Concrete symptoms are: Some files are encrypted (new extensions like .crypt, .crypto, .crypted, .encrypted and so on which aren't possible to open), some files are just renamed or the extension was changed to another normal file type. Some files are damaged, which causes programs to hang often and crash. Some files are just edited shortly ago, which has no visible effect.

At least, some programs are completely not working anymore and on 3 PC's there is until now no ability to connect to the Internet.

In the hope, someone here can help me, I did scans with Farbar Recovery Scan Tool at the 7 infected PC's.

I hope someone here is able to help me with my problem!

PC Names:

- PCSRV (Main PC)
- PC01 (Secondary PC)
- PC201701 ('DESKTOP-NO388OR') (Tertiary PC)
- PC05 (Tertiary PC)
- STUMPF-HP (Notebook)
- NETBOOK (Notebook)
- TVW-TC-1671 (Auxiliary PC)

- STUMPF-PC (Notebook) (not affected of infection, so no Farbar Scan)
- SMARTBOOK (Android tablet, only non-Windows business device) (not affected of infection)

Greetings Lobas

The next is a bit of communication over the problem, with an experienced user.

Quote

Hi Lobas,

Could you please attach G-DATA, ESET and RogueKiller reports of the first computer with your next reply ?
Please also attach some of the crypted files (at least one .crypt and one with a "normal" extension type file).

Do you know the following files ?
Code: [Select]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fehlerquellen beheben.bat - Verknüpfung.lnk [2017-10-25]
ShortcutTarget: Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Users\praxis\Kurzeinführung Fehlermanagement\Fehlerquellen beheben.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\login.bat - Verknüpfung.lnk [2017-08-02]
ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()

Regards.
« Last Edit: October 31, 2017, 04:50:27 pm by Curson »

Hi,
am I right with that you only want logs with catches or isn't that the point?

Yes if I find one I will, but it feels like them already getting fewer for no known reason.

Yes this files are batches I wrote myself to log on the computer on the Network drives and to automatically wipe out the most common sources of application errors in the company's main work program.

Hi Lobas,

Quote
am I right with that you only want logs with catches or isn't that the point?

Yes, you are perfectly right.

Quote
Yes if I find one I will, but it feels like them already getting fewer for no known reason.

Without an encrypted file, it will be difficult to accurately determine the type of the infection.
Was a ransom demand present with the encrypted files ?

Quote
Yes this files are batches I wrote myself to log on the computer[...]

Thanks for the confirmation.

Regards.

No, until now no demand was seen.

Attached are two logs of PCSRV I found: Smadav log from 25th October and ClamWinPortable (screenshot of catches) from 30th October.

EDIT: From ESET logs I can only partial screenshots give. Attached first 3 Logs of 26th/27th October.

Hi Lobas,

Neither ClamAV nor EST did detect a ransomware.
At this point, I think that your files has been corrupted by something non-malware related, so there is little I can do to help you.

Regards.

Let's put in a break here!

Because, that's the point I recognized I'm providing not enough of information somebody can proper work with.
That's also the reason why I insisted so to the user, who was intending to let my topic behind. This insist, like said, is of course open to everybody who has the ability, the time and is up for it to help me!

From now I planned to go into the problem another way!

Quote

Maybe Ransom-/Crypto-/Doxware plays a role in this, maybe a smaller one. But it's completely clear that a heavy malware infection is taking place.

For this I can give you more concrete facts.

I will try to deliver as much as possible of useful information.

First, please let's stay with the Farbar logs. Still looking mostly at PCSRV (also because the 5 holidays ago are now over and today normal business is starting again. PCSRV plays a central role for the proper work of the Network and all attached devices. Furthermore PCSRV is one of the PC's since beginning of infection has got no working Internet connection anymore. That's a big problem looking forward to normal work should be possible again.)

Under the given circumstances I am pleading at you, Curson, and surely any other person which may is able to provide any form of help, to please stay at this topic and try to help / find solutions / correct & complete my proposals for what to do next.

Please just stand by.

Thanks.

'I will start to ask concrete questions about Farbar and how to deal with it starting in the next post.'

Some talking of mine again, but now the interesting part begins!
+Looking for help, at doing the disinfection of our network alone with the information provided by Farbar and at some points requesting help here in the forum+

Quote

The relevant information comes in the first reply, here an general overview!

Quote

For the possibility that this thread is no longer viewed, I will open up a new one with more concrete description, type of help bidden for and more other Sysinfo including potential other (non-Farbar) logs. At first the two threads can, viewed from my point of action, a certain time co-exist. If the time comes a Mod wants to see everything in one, no problem, too. Just explaining why I am doing this.

The Farbar logs are in the same sequence as the PC's in the table "PC Names" somewhere above. Alternatively, the Computer Name is already written in the heading of each log.

Malware removal help / Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

« on: November 02, 2017, 06:04:40 AM »

Processes:

Is it right to do nothing at this point or should the following process maybe be kicked? Or are there potential signs of bad processes I completely not recognized?

Quote

- () C:\Windows\System32\igfxTray.exe

Registry:

I'm somewhat irritated of the following objects. Should they be deleted?

Quote

- HKLM\...\Run: [bg-info] => [X]
- HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer: [DisallowRun] 1
- HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
- HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [2] powershell.exe
- HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe

Quote

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fehlerquellen beheben.bat - Verknüpfung.lnk [2017-10-25]
ShortcutTarget: Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Users\praxis\Kurzeinführung Fehlermanagement\Fehlerquellen beheben.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\hevos.lnk [2017-08-08]
ShortcutTarget: hevos.lnk -> C:\Program Files (x86)\henova GmbH\hevos\Hevos.GUI.Client.exe (Henova GmbH)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\login.bat - Verknüpfung.lnk [2017-08-02]
ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NetScaler Gateway.lnk [2017-10-18]
ShortcutTarget: NetScaler Gateway.lnk -> C:\Program Files\Citrix\Secure Access Client\nsload.exe (Citrix Systems, Inc)
Startup: C:\Users\praxis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\An OneNote senden.lnk [2017-08-18]
ShortcutTarget: An OneNote senden.lnk -> C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)

Internet:

1st: Why the hell is the hosts file not in it's normal folder? How can something like that happen? A problem I never heard of before, but IMO, that looks alarming.

2nd: This object should be removed immediately, is that correct? I'm remembering stuff like DHCPNameServers as very dangerous.

Quote

Tcpip\..\Interfaces\{3AADAA47-6D23-471E-B154-362A0384390D}: [NameServer] 192.168.2.1

3rd: Browsers:

The following stuff hanging in IE, FF & Chrome.
It wouldn't be a mistake to wipe out this junk, would it?

Quote

Internet Explorer:
- HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
- HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp
- BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-10-19] (Microsoft Corporation)
- BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\URLREDIR.DLL [2017-10-19] (Microsoft Corporation)
- BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\ssv.dll [2017-08-08] (Oracle Corporation)
- BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\URLREDIR.DLL [2017-10-19] (Microsoft Corporation)
- BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\jp2ssv.dll [2017-08-08] (Oracle Corporation)
- Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
- Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
- Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
- Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)

Mozilla Firefox:
- FF DefaultProfile: 1u3d5r8x.default
- FF ProfilePath: C:\Users\praxis\AppData\Roaming\Mozilla\Firefox\Profiles\1u3d5r8x.default [2017-10-26]
- FF Plugin: @Citrix.com/npagee64,version=11.0.70.12 -> C:\Program Files\Citrix\Secure Access Client\npagee64.dll [2017-03-15] (Citrix Systems, Inc.)
- FF Plugin-x32: @Citrix.com/npagee,version=11.0.70.12 -> C:\Program Files\Citrix\Secure Access Client\npagee.dll [2017-03-15] (Citrix Systems, Inc.)
- FF Plugin-x32: @java.com/DTPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\dtplugin\npDeployJava1.dll [2017-08-08] (Oracle Corporation)
- FF Plugin-x32: @java.com/JavaPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\plugin2\npjp2.dll [2017-08-08] (Oracle Corporation)
- FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-10-19] (Microsoft Corporation)
- FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
- FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
- FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-08-01] (Adobe Systems Inc.)
- FF Plugin ProgramFiles/Appdata: C:\Users\praxis\AppData\Roaming\mozilla\plugins\npagee.dll [2017-03-15] (Citrix Systems, Inc.)
- FF Plugin ProgramFiles/Appdata: C:\Users\praxis\AppData\Roaming\mozilla\plugins\npagee64.dll [2017-03-15] (Citrix Systems, Inc.)

Google Chrome:
- CHR Profile: C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default [2017-10-26]
- CHR Extension: (Präsentationen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-16]
- CHR Extension: (Docs) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-16]
- CHR Extension: (Google Drive) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-08-02]
- CHR Extension: (YouTube) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-08-02]
- CHR Extension: (Tabellen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-16]
- CHR Extension: (Google Docs Offline) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-08-02]
- CHR Extension: (Chrome Web Store-Zahlungen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-10-10]
- CHR Extension: (Google Mail) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-08-02]
- CHR Extension: (Chrome Media Router) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-10-10]

Quote

For the possibility that this thread is no longer viewed, I will open up a new one with more concrete description, type of help bidden for and more other Sysinfo including potential other (non-Farbar) logs. At first the two threads can, viewed from my point of action, a certain time co-exist. If the time comes a Mod wants to see everything in one, no problem, too. Just explaining why I am doing this.

Malware removal help / Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

« on: November 02, 2017, 05:48:56 AM »

First, please let's stay with the Farbar logs. Still looking mostly at PCSRV (also because the 5 holidays ago are now over and today normal business is starting again. PCSRV plays a central role for the proper work of the Network and all attached devices. Furthermore PCSRV is one of the PC's since beginning of infection has got no working Internet connection anymore. That's a big problem looking forward to normal work should be possible again.)

Under the given circumstances I am pleading at you, Curson, and surely any other person which may is able to provide any form of help, to please stay at this topic and try to help / find solutions / correct & complete my proposals for what to do next.

Please just stand by.

Thanks.

'I will start to ask concrete questions about Farbar and how to deal with it starting in the next post.'

Malware removal help / Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

« on: November 01, 2017, 09:58:24 PM »

Maybe Ransom-/Crypto-/Doxware plays a role in this, maybe a smaller one. But it's completely clear that a heavy malware infection is taking place.

For this I can give you more concrete facts.

I will try to deliver as much as possible of useful information.

Malware removal help / Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

« on: November 01, 2017, 05:21:15 PM »

No, until now no demand was seen.

Attached are two logs of PCSRV I found: Smadav log from 25th October and ClamWinPortable (screenshot of catches) from 30th October.

EDIT: From ESET logs I can only partial screenshots give. Attached first 3 Logs of 26th/27th October.

Malware removal help / Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

« on: November 01, 2017, 12:29:02 AM »

Hi,
am I right with that you only want logs with catches or isn't that the point?

Yes if I find one I will, but it feels like them already getting fewer for no known reason.

Yes this files are batches I wrote myself to log on the computer on the Network drives and to automatically wipe out the most common sources of application errors in the company's main work program.

Malware removal help / Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

« on: October 31, 2017, 12:05:02 AM »

Hello,

we are having an unknown infection on 7 of 8 computers in our company.

I couldn't find much using various AV Programs and Tools.

Looked nearer at approximately 50 infected files with Adlice RK PE Viewer, let me see that the most of them are having sandboxes, anti-debugging scanner / debugging blocker and stuff like that to protect itself and hide of AV.

At least since beginning of this infection (last Thursday) concrete objects found by AV: (all PC together)

G DATA found 6 PSW-Tools and 3 OCS-Tools
ESET found 3 PSW-Tools
RogueKiller found 14 PUM's and 2 Rootkit IAT:Addr(Hook.IEAT)

The 8th computer was off and not hanging in the local Intranet by the time of the infection, so he stayed clean. We won't put him back in the network until the other PC are cleaned.

Concrete symptoms are: Some files are encrypted (new extensions like .crypt, .crypto, .crypted, .encrypted and so on which aren't possible to open), some files are just renamed or the extension was changed to another normal file type. Some files are damaged, which causes programs to hang often and crash. Some files are just edited shortly ago, which has no visible effect.

At least, some programs are completely not working anymore and on 3 PC's there is until now no ability to connect to the Internet.

In the hope, someone here can help me, I did scans with Farbar Recovery Scan Tool at the 7 infected PC's.

I hope someone here is able to help me with my problem!

PC Names:

- PCSRV (Main PC)
- PC01 (Secondary PC)
- PC201701 ('DESKTOP-NO388OR') (Tertiary PC)
- PC05 (Tertiary PC)
- STUMPF-HP (Notebook)
- NETBOOK (Notebook)
- TVW-TC-1671 (Auxiliary PC)

- STUMPF-PC (Notebook) (not affected of infection, so no Farbar Scan)
- SMARTBOOK (Android tablet, only non-Windows business device) (not affected of infection)

Greetings Lobas

Pages: [1] 2