Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RiskWare.IStealer - Messed up Registry?


  • This topic is locked This topic is locked
6 replies to this topic

#1 moh533

moh533

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 01 January 2017 - 02:07 AM

Hello,

 

My name is Moh, and I am fairly new to this forum so please bear with me regarding any info you need to help me with this task. A couple months ago, my little brother illegally downloaded Microsoft Office Professional Plus 2016 in my computer without my notice. Unfortunately, that installation came with some nasty, infamous malware: RiskWare.IStealer. The malware's source specifically came from the directory, "C:\ProgramData\KMSAutoS\bin\KMSSS.exe," where the executable is used to forge a license for Microsoft Office. Let's just say my brother's lost all administrative privileges... 

 

I believe I quarantined the malware using MalwareBytes and Hitman Pro, while manually deleting/uninstalling Microsoft Office and all of its files, including the illegal ones in KMSAutoS. However, the malware seems to have corrupted my registry, as I have been unable to install any Windows Updates. In addition, I can't even reset my PC so the damage is bad. I ran the Farbar Recovery Scan Tool, so you can look at the files attached.

 

Any help is greatly appreciated. Let me know what info and steps I must take and I'll cooperate to to the best of my abilities. Thank you in advance.

 

Moh

 

Mod Edit

Moved from Windows 10 support due to FRST log

NickAu

Attached Files


Edited by NickAu, 01 January 2017 - 02:22 AM.
mod edit


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:22 PM

Posted 01 January 2017 - 10:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicyScripts-x32: Restriction <======= ATTENTION
Toolbar: HKLM - No Name - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} -  No File
CHR Extension: (Avast SafePrice) - C:\Users\moh12\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-12-04]
CHR Extension: (Avast Online Security) - C:\Users\moh12\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-12-08]
CHR Extension: (Chrome Web Store Payments) - C:\Users\moh12\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-12-03]
CHR Extension: (Chrome Media Router) - C:\Users\moh12\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-03]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
Task: {77DF494E-EFE1-469F-928B-3D74BFE415EE} - \KMSAutoNet -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:D1B5B4F1 [106]

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    02 - Reset File Permissions (2)
    .. 02.01 File Permissions C:\
    .. 02.02 File Permissions D:\
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    06 - Repair Windows Firewall
    08 - Repair MDAC/MS Jet
    10 - Remove Policies Set By Infections
    14 - Removed Temp Files
    15 - Repair Proxy Settings
    17 - Repair Windows Updates
    19 - Repair Volume Shadow Copy Service
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    How is the computer running now?

    =======================



#3 moh533

moh533
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 01 January 2017 - 12:39 PM

Hello nasdaq,
 
Thank you for the prompt response. First and foremost, I'd like to wish you and the community at BleepingComputer a Happy New Year :)
 
As per your request, I ran FRST using fixlist.txt, resulting in the file Fixlog.txt (attached in this post). Next, I ran the program Tweaking.com - Windows Repair, following each step as shown. I copied a log of the pre-scan, attached in this post. Also, I compiled an error log for the repairs, also attached in this post. As you can see, most of the errors seem to involve Avast Antivirus. 

 

Regarding my computer, Windows Update is still failing to install security updates. I don't know about anything else, but I'll update you if anything changes.

 

UPDATE: So Windows Update at least completes the first step of installing the security update. However, when I restart the computer, it fails to complete the installation. I don't know if this helps, but the specific update is: "Cumulative Update for Windows 10 Version 1607 for x64-based Systems (KB3206632)" 

 
Moh

Attached Files


Edited by moh533, 01 January 2017 - 01:42 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:22 PM

Posted 02 January 2017 - 07:51 AM


Uninstall Avast using their uninstaller tool.
https://www.avast.com/uninstall-utility

Restart the computer normally when completed.


How is the computer running with Only Windows Defender active?

===

Download the troubleshooting tool provided by Microsoft.
https://support.microsoft.com/en-gb/help/10164/fix-windows-update-errors

It supports Windows 7, Windows 8.1 and Windows 10. The site offers different options based on the operating system you select.

If you select Windows 10, you will be asked to download the Windows Update Troubleshooter and run it. For Windows 8.1 and Windows 7 users, you get different troubleshooters for their respective operating systems.

Follow the instructions.

If the your Windows Update issue is solved and after having restarted you computer you can reinstall Avast.

Keep me posted.

#5 moh533

moh533
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 02 January 2017 - 11:02 AM

Hi nasdaq,

 

I followed your steps and removed Avast; now Windows Defender is running. There seems to be some improvement in the progress of the installation. However, Windows Update continues to fail the installation after restarting the computer :(



#6 moh533

moh533
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 02 January 2017 - 12:37 PM

Nasdaq,

 

I think I'm just going to format the hard disk and make a fresh install of Windows 10 from a bootable disk. None of the methods are working. I even tried resetting my pc and reinstalling Windows 10 through the Media Creation Tool, and even that doesn't work. This malware must've done some huge damage to my registry. 



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:22 PM

Posted 02 January 2017 - 02:04 PM

Good luck.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users