Unknown infection (Encrypting, Damaging, Editing, Renaming Files)

[Lobas]

Hi, just got ready with the last modifications of my post, when I saw you already replied!

Thank you so far, at first I'm going to organize all this information and make a plan for me what to do next.

If there are questions or I will proceed with the PE Viewer results I will write again.

Thanks & Greetings

[Curson]

Hi Lobas,

You are welcome.
Adlice PE Viewer is not used in malware removal process, don't bother with it.

Regards.

[Lobas]

*I'm going to get to the maximal length, because of this and for the better clarity I'm going to split the post*

Hi,

I'm going to extend this post, but at the moment my only issue is:

Yesterday I made my first attempts with Fixlists for PCSRV.

The successes were mixed.

I will attach my Fixlogs. Just the CMD Fix you told me to do were functioning, this is also attached.

I hope you can help me with writing functioning Fixlists.

Quote
HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp

Removing, because they are just there to set not needed Default Start Pages and so are PUM's, right?

They are not PUM's. Microsoft.com and msn.com are legit sites.

Yes I kow these are legit sites, but Browser redirections, Default Start Pages and Default Search Scopes are things, my opinion is, they could be removed because I don't need them.

So, my opinion is removing them the next time, if the problem of the not already properly functioning Fixlists is fixed itself.

Quote
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)

These are also PUM's, which aren't needed, right?

This addon updates all Google software, it's not a PUP.

Yes, I also know, but are Google update Plugins really required in Firefox?

Quote
- Created & Modified:[...]

Just unhiding, I know, not necessary at least, but also nothing that can make damage, am I right so?

These are legit files. You can unhide them, but it's not recommanded.

Why it is not recommended? It won't make any damage and the security aspect is according to my opinion not mattering because I'm not going to make any damage to System components because I have sufficient knowledge for doing nothing into that direction.

Quote
- Installed Programs:[...]

As with them just unhiding, (not absolutely necessary, but also not doing any wrong when performing this)

These are hidden by design.

Yes, I know, but my opinion here is the same as with the hidden files & folders in the "Created & Modified" sections.

Quote
Shortcut: C:\Users\praxis\Desktop\Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Windows\System32\Fehlerquellen beheben.bat ()

Farbar tutorial says, in this section are only listed suspicious or hijacked Shortcuts, along with WMI Malware.[...]

FRST cannot known you write it yourself, so being in the system32 directory, it considers it suspicious.

Yes I know, but it is right that the only reason FRST marks it as suspicious, because of it being in the System32 folder?
In this case, I won't do anything, or is it useful to just replace it with a absolutely sure clean copy?

Quote
- Internet Explorer Restricted Sites:[...]

The restricted sites in IE, are they restricted for a special reason, or would it be ok to remove this attribute?

These sites are malicious so the are indeed restricted for a special reason.

So I will let them alone, if this 7936 sites are really malicious.

Quote
DNS Servers: 192.168.2.1

Does not look like a hijacked DNS Server to me, or?     (Won't do anything)

It's your Internet gateway.

Yes but for example, I checked it with whois.domaintools.com, and found no hints for an Hijacking of this DNS Server.
I also did the same with:

Tcpip\..\Interfaces\{3AADAA47-6D23-471E-B154-362A0384390D}: [NameServer] 192.168.2.1

There is one "Application Error (Source Application Error)", in this case there is nothing someone could do, right?

Also there are 9 "Application Error (SideBySide)". Would it make sense to remove one of the components which are standing in conflict to eachother?

No, these errors are caused by an issue in the manifest file on an application you use (C:\DOC2\PROG\WPROG). Please contact the publisher for a fix.

Yes with the

"Application Error (Source Application Error)"

, this one:

Error: (10/26/2017 09:38:48 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: ROUTINE.EXE, Version: 17.3712.38814.9, Zeitstempel: 0x5952d945
Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7601.23915, Zeitstempel: 0x59b94a16
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0002e927
ID des fehlerhaften Prozesses: 0x2070
Startzeit der fehlerhaften Anwendung: 0x01d34e2d0bf6ee75
Pfad der fehlerhaften Anwendung: C:\DOC2\PROG\WPROG\ROUTINE.EXE
Pfad des fehlerhaften Moduls: C:\Windows\SysWOW64\ntdll.dll
Berichtskennung: b3726f8b-ba20-11e7-ad7f-b083fe825cc6

There is nothing I can do about, but



EDIT: I hope you can help me with my problem.

Regards Lobas

*I'm going to get to the maximal length, because of this and for the better clarity I'm going to split the post*

[Lobas]

*I'm going to get to the maximal length, because of this and for the better clarity I'm going to split the post*


with them: They are 9 not only the example I put in yesterday.

"Application Error (Source SideBySide)"

Error: (10/26/2017 05:24:28 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 01:18:22 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 07:54:46 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 04:54:24 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\doc2\prog\wprog\DOC.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:34 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\ZUSATZ.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:34 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\ZIFRIS.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:32 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\VORGABE.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:29 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\STKMAIN.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (10/26/2017 03:36:29 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "c:\doc2\prog\wprog\STAMMEN.EXE". Fehler in
Manifest- oder Richtliniendatei "" in Zeile .
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Wouldn't it here make sense to remove one of the conflicting components?
I wasn't really sure if your answer was for the "Application Error (Source Application Error)", or for the 9 "Application Errors (Source SideBySide)"
Should I here remove at each one component, or did you mean with this error I should better contact the support of the company the files

C:\doc2\prog\wprog\DOC.EXE
C:\DOC2\PROG\WPROG\ROUTINE.EXE
c:\doc2\prog\wprog\ZUSATZ.EXE
c:\doc2\prog\wprog\ZIFRIS.EXE
c:\doc2\prog\wprog\VORGABE.EXE
c:\doc2\prog\wprog\STKMAIN.EXE
c:\doc2\prog\wprog\STAMMEN.EXE

belong to a program they operate?



EDIT: I hope you can help me with my problem.

Regards Lobas

*Post is still in work, will remove this line when I have last modified this post.*

[Curson]

Hi Lobas,

Yesterday I made my first attempts with Fixlists for PCSRV.

Your FixLists are not written correctly. There is a chance you wil break your system if you don't know what you are doing.

Just the CMD Fix you told me to do were functioning, this is also attached.

The service was succesfully deleted.

I hope you can help me with writing functioning Fixlists.

I do not write Fixlists when there is nothing to fix.

Default Start Pages and Default Search Scopes are things, my opinion is, they could be removed because I don't need them.

Starts Page and Search Scope must contain a value. You can change their values but not delete them.

Yes, I also know, but are Google update Plugins really required in Firefox?

No they are not required but will automatically be reinstalled when you install/update a Google software.

Why it is not recommended? [...]I'm not going to make any damage to System components

If that's the case, go ahead.

Yes, I know, but my opinion here is the same as with the hidden files & folders in the "Created & Modified" sections.

See my answer just above.

Yes I know, but it is right that the only reason FRST marks it as suspicious, because of it being in the System32 folder?

Yes.

Should I here remove at each one component, or did you mean with this error I should better contact the support of the company the files

You should contact the compagny for both error types

belong to a program they operate?

Yes, C:\doc2\prog\wprog.

Regards.

[Lobas]

Quote
- CodeIntegrity[...]

It's a warning about some drivers not being signed, nothing suspicious.

So I shall ignore this not digitally signed drivers?



So, at the moment I will switch to the other PC's and look on PCSRV again another time:

On the other PC's there seem to be more and partially also more urgent things to do.
So, at first, I'm going to concentrate on them


   ~  PC01:

     - Regisry:

ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~$FO °LOST & FOUND°.rtf [2017-05-29] ()
BootExecute: autocheck autochk * Partizan

The first belongs to a group of files that are often infected by various malware.

The one in the middle, I don't know, if suspicious, maybe it's just such a copy generated in e.g. Local\AppData\Temp, I don't know

The last one belongs to the group of "Greatis Software/Partizan/UnHackMe" objects, which should clearly removed.


     - Hosts File:

The hosts file contains some malicious entries. But later we will see more about this topic.

Hosts: Es ist mehr als ein Eintrag in der Hosts Datei zu finden. Siehe Hosts-Bereich in Addition.txt

Are in this case both of them OK?

Why are in this case two objects on that list?

And why are they here named "DHCPNameServer" instead of just "NameServer" at PCSRV?

And why I had a long time ago a RogueKiller recognition named also "DhcpNameServer"?

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{68856CE8-6189-4083-B4AB-7252F866F3FC}: [DhcpNameServer] 192.168.2.1

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Extension: (Avira SafeSearch Plus) - C:\Users\Stumpf\AppData\Roaming\Mozilla\Firefox\Profiles\xj2ez0p8.default\Extensions\safesearch@avira.com.xpi [2017-09-18]
FF Plugin: @microsoft.com/GENUINE -> disabled [Keine Datei]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [Keine Datei]
CHR Extension: (Avira Browserschutz) - C:\Users\Stumpf\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2017-06-19]
S3 Browser; C:\Windows\System32\browser.dll [136704 2012-07-05] (Microsoft Corporation) [Datei ist nicht signiert]
R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2013-09-25] (Brother Industries, Ltd.) [Datei ist nicht signiert]
R2 Schedule; C:\Windows\system32\schedsvc.dll [1110016 2015-08-05] (Microsoft Corporation) [Datei ist nicht signiert]
S4 AVKService; "C:\Program Files (x86)\G DATA\AntiVirus\AVK\AVKService.exe" [X]
S0 nmfmfx; kein ImagePath
S0 ovanvq; kein ImagePath
U0 Partizan; C:\Windows\SysWOW64\drivers\Partizan.sys [40304 2017-01-12] (Greatis Software)
U0 aswVmm; kein ImagePath
2017-01-16 19:26 - 2017-01-16 19:26 - 056816244 _____ () C:\Program Files (x86)\UnHackMe.rar
Dateien, die verschoben oder gelöscht werden sollten:
====================
C:\Users\Temp CON\install_flashplayer11x32_mssd_aih(1).exe
Amazon 1Button App (HKLM-x32\...\{4D875057-4353-4B8F-93E5-8C3DC7F34EA9}) (Version: 1.0.8 - Amazon) Hidden <==== ACHTUNG
ContextMenuHandlers1: [BitZipper32] -> {D5906221-A717-479B-9B49-CD848F9CE816} =>  -> Keine Datei
ContextMenuHandlers1: [BitZipper64] -> {9176020F-4A61-4F57-A133-258110EBC765} =>  -> Keine Datei
ContextMenuHandlers6: [BitZipper32] -> {D5906221-A717-479B-9B49-CD848F9CE816} =>  -> Keine Datei
ContextMenuHandlers6: [BitZipper64] -> {9176020F-4A61-4F57-A133-258110EBC765} =>  -> Keine Datei
Task: {AC5CFE36-BD49-4ECB-80FE-CC15B327D116} - \{D0BFC29C-0F57-453A-881A-7D38448ED39A} -> Keine Datei <==== ACHTUNG
Shortcut: C:\Users\Stumpf\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Eigene Websites auf MSN\target.lnk -> hxxp://de.msnusers.co

In Short:
 - There are objects with no target, no matter what kind of objects they are.
 - There are leftovers of Avira, which is uninstalled a long time ago. Avira Toolbars etc. are just annoying.
 - There are missing digital signatures.
 - There are Greatis Software/Partizan/UnHackMe objects which is uninstalled a long time ago, and it's leftovers should follow it.
 - There are objects, Farbar itself warns of.
 - There are objects Farbar instructs to delete.
 - There is one Shortcut Farbar marks as suspicious.















*Post is still in work, will remove this line when I have last modified this post.*