Author Topic: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)  (Read 1795 times)

0 Members and 1 Guest are viewing this topic.

Reply #15November 10, 2017, 12:06:58 am

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #15 on: November 10, 2017, 12:06:58 am »
Hi, just got ready with the last modifications of my post, when I saw you already replied!

Thank you so far, at first I'm going to organize all this information and make a plan for me what to do next.

If there are questions or I will proceed with the PE Viewer results I will write again.

Thanks & Greetings

Reply #16November 10, 2017, 12:12:46 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2059
  • Reputation:
    76
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #16 on: November 10, 2017, 12:12:46 am »
Hi Lobas,

You are welcome.
Adlice PE Viewer is not used in malware removal process, don't bother with it.

Regards.

Reply #17November 10, 2017, 05:41:38 pm

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #17 on: November 10, 2017, 05:41:38 pm »
*I'm going to get to the maximal length, because of this and for the better clarity I'm going to split the post*

Hi,

I'm going to extend this post, but at the moment my only issue is:

Yesterday I made my first attempts with Fixlists for PCSRV.

The successes were mixed.

I will attach my Fixlogs. Just the CMD Fix you told me to do were functioning, this is also attached.

I hope you can help me with writing functioning Fixlists.


Quote
Quote
HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp

Removing, because they are just there to set not needed Default Start Pages and so are PUM's, right?

They are not PUM's. Microsoft.com and msn.com are legit sites.

Yes I kow these are legit sites, but Browser redirections, Default Start Pages and Default Search Scopes are things, my opinion is, they could be removed because I don't need them.

So, my opinion is removing them the next time, if the problem of the not already properly functioning Fixlists is fixed itself.


Quote
Quote
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)

These are also PUM's, which aren't needed, right?

This addon updates all Google software, it's not a PUP.

Yes, I also know, but are Google update Plugins really required in Firefox?


Quote
Quote
- Created & Modified:[...]

Just unhiding, I know, not necessary at least, but also nothing that can make damage, am I right so?

These are legit files. You can unhide them, but it's not recommanded.

Why it is not recommended? It won't make any damage and the security aspect is according to my opinion not mattering because I'm not going to make any damage to System components because I have sufficient knowledge for doing nothing into that direction.

Quote
Quote
- Installed Programs:[...]

As with them just unhiding, (not absolutely necessary, but also not doing any wrong when performing this)

These are hidden by design.


Yes, I know, but my opinion here is the same as with the hidden files & folders in the "Created & Modified" sections.



Quote
Quote
Shortcut: C:\Users\praxis\Desktop\Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Windows\System32\Fehlerquellen beheben.bat ()

Farbar tutorial says, in this section are only listed suspicious or hijacked Shortcuts, along with WMI Malware.[...]

FRST cannot known you write it yourself, so being in the system32 directory, it considers it suspicious.

Yes I know, but it is right that the only reason FRST marks it as suspicious, because of it being in the System32 folder?
In this case, I won't do anything, or is it useful to just replace it with a absolutely sure clean copy?



Quote
Quote
- Internet Explorer Restricted Sites:[...]

The restricted sites in IE, are they restricted for a special reason, or would it be ok to remove this attribute?

These sites are malicious so the are indeed restricted for a special reason.

So I will let them alone, if this 7936 sites are really malicious.


Quote
Quote
DNS Servers: 192.168.2.1

Does not look like a hijacked DNS Server to me, or?     (Won't do anything)

It's your Internet gateway.

Yes but for example, I checked it with whois.domaintools.com, and found no hints for an Hijacking of this DNS Server.
I also did the same with:


Quote
Tcpip\..\Interfaces\{3AADAA47-6D23-471E-B154-362A0384390D}: [NameServer] 192.168.2.1


Quote
There is one "Application Error (Source Application Error)", in this case there is nothing someone could do, right?

Also there are 9 "Application Error (SideBySide)". Would it make sense to remove one of the components which are standing in conflict to eachother?

No, these errors are caused by an issue in the manifest file on an application you use (C:\DOC2\PROG\WPROG). Please contact the publisher for a fix.

Yes with the
Quote
"Application Error (Source Application Error)"
, this one:
Quote
Error: (10/26/2017 09:38:48 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: ROUTINE.EXE, Version: 17.3712.38814.9, Zeitstempel: 0x5952d945
Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.23915, Zeitstempel: 0x59b94a16
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0002e927
ID des fehlerhaften Prozesses: 0x2070
Startzeit der fehlerhaften Anwendung: 0x01d34e2d0bf6ee75
Pfad der fehlerhaften Anwendung: C:\DOC2\PROG\WPROG\ROUTINE.EXE
Pfad des fehlerhaften Moduls: C:\Windows\SysWOW64\ntdll.dll
Berichtskennung: b3726f8b-ba20-11e7-ad7f-b083fe825cc6

There is nothing I can do about, but



EDIT: I hope you can help me with my problem.

Regards Lobas

*I'm going to get to the maximal length, because of this and for the better clarity I'm going to split the post*
« Last Edit: November 10, 2017, 08:43:55 pm by Lobas »

Reply #18November 10, 2017, 08:24:13 pm

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #18 on: November 10, 2017, 08:24:13 pm »
*I'm going to get to the maximal length, because of this and for the better clarity I'm going to split the post*


with them: They are 9 not only the example I put in yesterday.


Quote
"Application Error (Source SideBySide)"

Quote
Error: (10/26/2017 05:24:28 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 01:18:22 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 07:54:46 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 04:54:24 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:34 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\ZUSATZ.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:34 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\ZIFRIS.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:32 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\VORGABE.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:29 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\STKMAIN.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:29 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\STAMMEN.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.


Wouldn't it here make sense to remove one of the conflicting components?
I wasn't really sure if your answer was for the "Application Error (Source Application Error)", or for the 9 "Application Errors (Source SideBySide)"
Should I here remove at each one component, or did you mean with this error I should better contact the support of the company the files


Quote
C:\doc2\prog\wprog\DOC.EXE
C:\DOC2\PROG\WPROG\ROUTINE.EXE
c:\doc2\prog\wprog\ZUSATZ.EXE
c:\doc2\prog\wprog\ZIFRIS.EXE
c:\doc2\prog\wprog\VORGABE.EXE
c:\doc2\prog\wprog\STKMAIN.EXE
c:\doc2\prog\wprog\STAMMEN.EXE

belong to a program they operate?



EDIT: I hope you can help me with my problem.

Regards Lobas

*Post is still in work, will remove this line when I have last modified this post.*
« Last Edit: November 10, 2017, 08:42:06 pm by Lobas »

Reply #19November 10, 2017, 11:57:57 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2059
  • Reputation:
    76
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #19 on: November 10, 2017, 11:57:57 pm »
Hi Lobas,

Quote
Yesterday I made my first attempts with Fixlists for PCSRV.
Your FixLists are not written correctly. There is a chance you wil break your system if you don't know what you are doing.

Quote
Just the CMD Fix you told me to do were functioning, this is also attached.
The service was succesfully deleted.

Quote
I hope you can help me with writing functioning Fixlists.
I do not write Fixlists when there is nothing to fix.

Quote
Default Start Pages and Default Search Scopes are things, my opinion is, they could be removed because I don't need them.
Starts Page and Search Scope must contain a value. You can change their values but not delete them.

Quote
Yes, I also know, but are Google update Plugins really required in Firefox?
No they are not required but will automatically be reinstalled when you install/update a Google software.

Quote
Why it is not recommended? [...]I'm not going to make any damage to System components
If that's the case, go ahead.

Quote
Yes, I know, but my opinion here is the same as with the hidden files & folders in the "Created & Modified" sections.
See my answer just above.

Quote
Yes I know, but it is right that the only reason FRST marks it as suspicious, because of it being in the System32 folder?
Yes.
Quote
Should I here remove at each one component, or did you mean with this error I should better contact the support of the company the files
You should contact the compagny for both error types

Quote
belong to a program they operate?
Yes, C:\doc2\prog\wprog.

Regards.

Reply #20November 11, 2017, 09:46:39 pm

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Re: Unknown infection (Encrypting, Damaging, Editing, Renaming Files)
« Reply #20 on: November 11, 2017, 09:46:39 pm »
Quote
Quote
- CodeIntegrity[...]

It's a warning about some drivers not being signed, nothing suspicious.

So I shall ignore this not digitally signed drivers?



So, at the moment I will switch to the other PC's and look on PCSRV again another time:

On the other PC's there seem to be more and partially also more urgent things to do.
So, at first, I'm going to concentrate on them


   ~  PC01:

     - Regisry:


Quote
ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~$FO °LOST & FOUND°.rtf [2017-05-29] ()
BootExecute: autocheck autochk * Partizan


The first belongs to a group of files that are often infected by various malware.

The one in the middle, I don't know, if suspicious, maybe it's just such a copy generated in e.g. Local\AppData\Temp, I don't know

The last one belongs to the group of "Greatis Software/Partizan/UnHackMe" objects, which should clearly removed.


     - Hosts File:

The hosts file contains some malicious entries. But later we will see more about this topic.


Quote
Hosts: Es ist mehr als ein Eintrag in der Hosts Datei zu finden. Siehe Hosts-Bereich in Addition.txt


Are in this case both of them OK?

Why are in this case two objects on that list?

And why are they here named "DHCPNameServer" instead of just "NameServer" at PCSRV?

And why I had a long time ago a RogueKiller recognition named also "DhcpNameServer"?


Quote
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{68856CE8-6189-4083-B4AB-7252F866F3FC}: [DhcpNameServer] 192.168.2.1


Quote
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Extension: (Avira SafeSearch Plus) - C:\Users\Stumpf\AppData\Roaming\Mozilla\Firefox\Profiles\xj2ez0p8.default\Extensions\safesearch@avira.com.xpi [2017-09-18]
FF Plugin: @microsoft.com/GENUINE -> disabled [Keine Datei]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [Keine Datei]
CHR Extension: (Avira Browserschutz) - C:\Users\Stumpf\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2017-06-19]
S3 Browser; C:\Windows\System32\browser.dll [136704 2012-07-05] (Microsoft Corporation) [Datei ist nicht signiert]
R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2013-09-25] (Brother Industries, Ltd.) [Datei ist nicht signiert]
R2 Schedule; C:\Windows\system32\schedsvc.dll [1110016 2015-08-05] (Microsoft Corporation) [Datei ist nicht signiert]
S4 AVKService; "C:\Program Files (x86)\G DATA\AntiVirus\AVK\AVKService.exe" [X]
S0 nmfmfx; kein ImagePath
S0 ovanvq; kein ImagePath
U0 Partizan; C:\Windows\SysWOW64\drivers\Partizan.sys [40304 2017-01-12] (Greatis Software)
U0 aswVmm; kein ImagePath
2017-01-16 19:26 - 2017-01-16 19:26 - 056816244 _____ () C:\Program Files (x86)\UnHackMe.rar
Dateien, die verschoben oder gelöscht werden sollten:
====================
C:\Users\Temp CON\install_flashplayer11x32_mssd_aih(1).exe
Amazon 1Button App (HKLM-x32\...\{4D875057-4353-4B8F-93E5-8C3DC7F34EA9}) (Version: 1.0.8 - Amazon) Hidden <==== ACHTUNG
ContextMenuHandlers1: [BitZipper32] -> {D5906221-A717-479B-9B49-CD848F9CE816} =>  -> Keine Datei
ContextMenuHandlers1: [BitZipper64] -> {9176020F-4A61-4F57-A133-258110EBC765} =>  -> Keine Datei
ContextMenuHandlers6: [BitZipper32] -> {D5906221-A717-479B-9B49-CD848F9CE816} =>  -> Keine Datei
ContextMenuHandlers6: [BitZipper64] -> {9176020F-4A61-4F57-A133-258110EBC765} =>  -> Keine Datei
Task: {AC5CFE36-BD49-4ECB-80FE-CC15B327D116} - \{D0BFC29C-0F57-453A-881A-7D38448ED39A} -> Keine Datei <==== ACHTUNG
Shortcut: C:\Users\Stumpf\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Eigene Websites auf MSN\target.lnk -> hxxp://de.msnusers.co

In Short:
 - There are objects with no target, no matter what kind of objects they are.
 - There are leftovers of Avira, which is uninstalled a long time ago. Avira Toolbars etc. are just annoying.
 - There are missing digital signatures.
 - There are Greatis Software/Partizan/UnHackMe objects which is uninstalled a long time ago, and it's leftovers should follow it.
 - There are objects, Farbar itself warns of.
 - There are objects Farbar instructs to delete.
 - There is one Shortcut Farbar marks as suspicious.















*Post is still in work, will remove this line when I have last modified this post.*
« Last Edit: November 12, 2017, 12:27:37 am by Lobas »