Folders/files containing winsap.dll and snare.msi return after disinfection

After running some programs before here are the logs from them. I will also note that it seems that when I click my Chrome shortcut in the taskbar, it opens up a new instance of chrome which is not pinned on the taskbar. Reinstaling chrome will fix this unitl a restart where it will do this again.

Edited by 1dj, 28 April 2017 - 10:38 PM.

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-2833979337-2780947661-2915321693-1001\...\Run: [Windows Defender] => -
ShellExecuteHooks: No Name - {A950E7F8-2366-11E7-B493-64006A5CFC23} - C:\Users\danie\AppData\Roaming\Anerliphgricied\Pherrasy.dll -> No File
CHR Profile: C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-04-29] <==== ATTENTION
CHR Extension: (EditThisCookie) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2016-12-08]
CHR Extension: (Popup Blocker Pro) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\kiodaajmphnkcajieajajinghpejdjai [2017-01-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-12]
CHR Extension: (Chrome Media Router) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-26]
S2 AdBlockerService; C:\Program Files (x86)\AdBlocker\AdBlockerService.exe [X]
S2 HKClipSvc; C:\Program Files (x86)\Hotkey\Driver\x64\HKClipSvc.exe [X]
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 PowerBiosServer; "C:\Program Files (x86)\Hotkey\HotkeyService.exe" [X]
Task: {03244A71-F0F7-4EEE-9B53-74CF550632A6} - \Microsoft\Windows\Media Center\RegisterObject -> No File <==== ATTENTION
Task: {5BBC0DE0-3D6D-43D4-A9E3-24D9E7761BF2} - System32\Tasks\Samsung Update => msiexec.exe /i hxxp://D2Buh1bF1G584W.CLouDfRoNT.net/mmtsk/occup.php?p=SanDiskXSD8SN8U512G1122_162304427574&amp;d=20170426 /q <==== ATTENTION
Task: {6F2AC8EF-04FB-415C-A9A5-C6252B20BA83} - \QMC Reader for VAB -> No File <==== ATTENTION
Task: {701B2478-32EB-4392-A59B-E66E1FA91CC9} - \Prezoph -> No File <==== ATTENTION

End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
===

Please let me know what problem persists with this computer.


p.s.

Reinstaling chrome will fix this until a restart where it will do this again.

Are you Syncing your Chrome account?
That may be the reason that the problem returned.

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-2833979337-2780947661-2915321693-1001\...\Run: [Windows Defender] => -
ShellExecuteHooks: No Name - {A950E7F8-2366-11E7-B493-64006A5CFC23} - C:\Users\danie\AppData\Roaming\Anerliphgricied\Pherrasy.dll -> No File
CHR Profile: C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-04-29] <==== ATTENTION
CHR Extension: (EditThisCookie) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2016-12-08]
CHR Extension: (Popup Blocker Pro) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\kiodaajmphnkcajieajajinghpejdjai [2017-01-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-12]
CHR Extension: (Chrome Media Router) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-26]
S2 AdBlockerService; C:\Program Files (x86)\AdBlocker\AdBlockerService.exe [X]
S2 HKClipSvc; C:\Program Files (x86)\Hotkey\Driver\x64\HKClipSvc.exe [X]
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 PowerBiosServer; "C:\Program Files (x86)\Hotkey\HotkeyService.exe" [X]
Task: {03244A71-F0F7-4EEE-9B53-74CF550632A6} - \Microsoft\Windows\Media Center\RegisterObject -> No File <==== ATTENTION
Task: {5BBC0DE0-3D6D-43D4-A9E3-24D9E7761BF2} - System32\Tasks\Samsung Update => msiexec.exe /i hxxp://D2Buh1bF1G584W.CLouDfRoNT.net/mmtsk/occup.php?p=SanDiskXSD8SN8U512G1122_162304427574&amp;d=20170426 /q <==== ATTENTION
Task: {6F2AC8EF-04FB-415C-A9A5-C6252B20BA83} - \QMC Reader for VAB -> No File <==== ATTENTION
Task: {701B2478-32EB-4392-A59B-E66E1FA91CC9} - \Prezoph -> No File <==== ATTENTION

End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
===

Please let me know what problem persists with this computer.


p.s.

Reinstaling chrome will fix this until a restart where it will do this again.

Are you Syncing your Chrome account?
That may be the reason that the problem returned.

 

 

Hello, thanks a lot for that.

 

It seems so far good!

Ill let you know how I go and if I still see any issues.

 

EDIT: Im seeing in my task manager this program called Windows® update with a random process name, is this concerning?

http://i.imgur.com/8DWDDgY.png (This screenshot has a different process name to the random one I saw before)

Edited by 1dj, 29 April 2017 - 09:31 AM.

Msiexec is an important programs from Microsoflt nothing to worry about.

https://technet.microsoft.com/en-us/library/bb490936.aspx
===

==================== Restore Points =========================

The windows update files are assigned by Microsoft nothing to worry about.
If you look at your Restore points in the Addition.txt file you will see when they are installed.

15-04-2017 00:24:54 Windows Update
19-04-2017 00:02:11 Windows Update
22-04-2017 22:52:11 Windows Update
25-04-2017 23:25:19 Windows Update
29-04-2017 00:34:33 Windows Update

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

Ive comepletely reset chrome and uninstalled and reinstalled it and it still is spawning processes which are not pinned to the taskbar about 30 minutes after using it. I havent synced with my accoount so I have no idea whats causing it.

Download the Sustemlook appropriate for you system.

SystemLook.exe
SystemLook_x64.exe

• Double-click SystemLook.exe/SystemLook_x64.exe
• to run it.
• Copy and paste the content of the following bold text into the main textfield:
• :reg
  winsap.dll;snare.msi
  :file
  winsap.dll;snare.msi

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
• Note: The log can also be found on your Desktop entitled SystemLook.txt.
• ===
  
  
  

Lets try two searches, one for the Registry and the other the the files.

For the registry search hit the Registry Search button with

:reg
winsap.dll;snare.msi[/b[

Then for the files hit the File Search button with

[b]:file
winsap.dll;snare.msi

Lets try two searches, one for the Registry and the other the the files.

For the registry search hit the Registry Search button with

:reg
winsap.dll;snare.msi
Then for the files hit the File Search button with

:file
winsap.dll;snare.msi

Where do I put this? Also [b] ?

Edited by nasdaq, 01 May 2017 - 12:01 PM.

sorry the b in the bracket was a format error. I corrected it.


Copy this command in the Text field of the SyistemLook box and click the Registry button.
:reg
winsap.dll;snare.msi

Save the results.

Do an other search.

Copy this command in the Text field and click the File Search button.
:file
winsap.dll;snare.msi

Save the results also.


Post both of the results.

Edited by nasdaq, 10 May 2017 - 07:40 AM.

There is only the buttons "Look" and "Exit"

Though after putting in the text field here are the results

Do you still have problems with the files I was looking for?

 

What are the remaining issues?

Are you still with me?

Are you still with me?

Yes I am Sorry.

 

It seems that every 3 days or so Chrome unattaches itself to the pinned process and creates a new process to which I have to repin.