Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ram hogging and BSOD: Winfix.exe , NewHeur.LowRep(windapp) , NewHeur.LowRep(nan)


  • This topic is locked This topic is locked
6 replies to this topic

#1 deedpull

deedpull

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 14 December 2017 - 01:08 AM

Hello.

I need help.

 

In the last few hours, my laptop went very slow and the ram took over 99% until it suddenly went BSOD

 

It was happened after last night I accidentally clicked a pop up while watching movies.

 

I've tried to scan it using SMADAV, but only 2 files were pointed as viruses called as NewHeur.LowRep.

 

The first is windapp.exe and the second is nan.exe. Both of them working as startup.

But the other file, it is under the name winfix.exe, SMADAV couldn't identified it as virus or anything.

 

What makes me wonder that those 3 files were in the same directory.

 

Please help to make sure there is no threat in my laptop.

 

Thank you so much.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:06 PM

Posted 15 December 2017 - 08:31 AM

Hi,


Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\Run: [Windapp] => C:\Users\Personale\AppData\Roaming\WindAppUtils\WindAppB\Windapp.exe****************************************************************************************************D******************************* (the data entry has 60 more characters).
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\Policies\Explorer\DisallowRun: [2] powershell.exe
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe
Startup: C:\Users\Personale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winfix.exe [2017-12-13] ()
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hao.moxia.net
S3 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [X]
S3 cpuz138; no ImagePath
S2 NVR0FLASHDev; no ImagePath
S1 SASDIFSV; no ImagePath
S1 SASKUTIL; no ImagePath
S3 cpuz140; \??\C:\Users\PERSON~1\AppData\Local\Temp\cpuz140\cpuz140_x64.sys [X] <==== ATTENTION
U3 idsvc; no ImagePath
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]
S3 WinRing0_1_2_0; \??\D:\Program Files (x86)\IObit\Advanced SystemCare\OpenHardwareMonitorLib.sys [X]
U3 wpcsvc; no ImagePath

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Task: {24C8A6EF-307D-4D0A-9182-A0AD0AE9E030} - System32\Tasks\{717230CC-F756-4ECA-A931-F8EE6CF27ABF} => "c:\windows\system32\launchwinapp.exe" hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=7.23.0.105&LastError=404

HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\StartupApproved\StartupFolder: => "nan.exe"
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\StartupApproved\StartupFolder: => "winfix.exe"
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\StartupApproved\Run: => "Windapp"

C:\Windows\System32\Tasks\{717230CC-F756-4ECA-A931-F8EE6CF27ABF}
C:\Users\Personale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winfix.exe
C:\Users\Personale\AppData\Roaming\WindAppUtils

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended. (You need to check with Internet Explorer) <- Important.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 144 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180144F0}) (Version: 8.0.1440.1 - Oracle Corporation)
====

Please post the log and let me know what problem persists with this computer.

#3 deedpull

deedpull
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 15 December 2017 - 11:57 AM

Hello

 

Thank you for the answer

 

I've uninstalled and reinstalled the newest version of Java.

 

Here is the result of the task.

_____________________________________________


Fix result of Farbar Recovery Scan Tool (x64) Version: 13-12-2017
Ran by Personale (15-12-2017 23:08:25) Run:1
Running from C:\Users\Personale\Desktop
Loaded Profiles: Personale (Available Profiles: Personale)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\Run: [Windapp] => C:\Users\Personale\AppData\Roaming\WindAppUtils\WindAppB\Windapp.exe****************************************************************************************************D******************************* (the data entry has 60 more characters).
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\Policies\Explorer\DisallowRun: [2] powershell.exe
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe
Startup: C:\Users\Personale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winfix.exe [2017-12-13] ()
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hao.moxia.net
S3 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [X]
S3 cpuz138; no ImagePath
S2 NVR0FLASHDev; no ImagePath
S1 SASDIFSV; no ImagePath
S1 SASKUTIL; no ImagePath
S3 cpuz140; \??\C:\Users\PERSON~1\AppData\Local\Temp\cpuz140\cpuz140_x64.sys [X] <==== ATTENTION
U3 idsvc; no ImagePath
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]
S3 WinRing0_1_2_0; \??\D:\Program Files (x86)\IObit\Advanced SystemCare\OpenHardwareMonitorLib.sys [X]
U3 wpcsvc; no ImagePath
 
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Task: {24C8A6EF-307D-4D0A-9182-A0AD0AE9E030} - System32\Tasks\{717230CC-F756-4ECA-A931-F8EE6CF27ABF} => "c:\windows\system32\launchwinapp.exe" hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=7.23.0.105&LastError=404
 
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\StartupApproved\StartupFolder: => "nan.exe"
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\StartupApproved\StartupFolder: => "winfix.exe"
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\...\StartupApproved\Run: => "Windapp"
 
C:\Windows\System32\Tasks\{717230CC-F756-4ECA-A931-F8EE6CF27ABF}
C:\Users\Personale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winfix.exe
C:\Users\Personale\AppData\Roaming\WindAppUtils
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui" => removed successfully
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Windapp => value removed successfully
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\DisallowRun => value removed successfully
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\1 => value removed successfully
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\2 => value removed successfully
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\3 => value removed successfully
C:\Users\Personale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winfix.exe => moved successfully
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\System\CurrentControlSet\Services\avast! Antivirus => key could not remove, key could be protected
"HKLM\System\CurrentControlSet\Services\cpuz138" => removed successfully
cpuz138 => service removed successfully
"HKLM\System\CurrentControlSet\Services\NVR0FLASHDev" => removed successfully
NVR0FLASHDev => service removed successfully
"HKLM\System\CurrentControlSet\Services\SASDIFSV" => removed successfully
SASDIFSV => service removed successfully
"HKLM\System\CurrentControlSet\Services\SASKUTIL" => removed successfully
SASKUTIL => service removed successfully
cpuz140 => Unable to stop service.
"HKLM\System\CurrentControlSet\Services\cpuz140" => removed successfully
cpuz140 => service removed successfully
"HKLM\System\CurrentControlSet\Services\idsvc" => removed successfully
idsvc => service removed successfully
"HKLM\System\CurrentControlSet\Services\VMnetAdapter" => removed successfully
VMnetAdapter => service removed successfully
"HKLM\System\CurrentControlSet\Services\WinRing0_1_2_0" => removed successfully
WinRing0_1_2_0 => service removed successfully
"HKLM\System\CurrentControlSet\Services\wpcsvc" => removed successfully
wpcsvc => service removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => removed successfully
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\7-Zip" => removed successfully
HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} => key not found
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\avast" => removed successfully
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui" => removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => key not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{24C8A6EF-307D-4D0A-9182-A0AD0AE9E030} => could not remove key. ErrorCode1: 0x00000002
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{24C8A6EF-307D-4D0A-9182-A0AD0AE9E030}" => removed successfully
C:\WINDOWS\System32\Tasks\{717230CC-F756-4ECA-A931-F8EE6CF27ABF} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{717230CC-F756-4ECA-A931-F8EE6CF27ABF}" => removed successfully
C:\Users\Personale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nan.exe => not found.
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder\\nan.exe => value removed successfully
C:\Users\Personale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winfix.exe => not found.
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder\\winfix.exe => value removed successfully
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\Windapp => value removed successfully
HKU\S-1-5-21-3766000356-3612992172-70658616-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Windapp => value not found.
"C:\Windows\System32\Tasks\{717230CC-F756-4ECA-A931-F8EE6CF27ABF}" => not found.
"C:\Users\Personale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winfix.exe" => not found.
C:\Users\Personale\AppData\Roaming\WindAppUtils => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 2281972 B
Java, Flash, Steam htmlcache => 357671455 B
Windows/system/drivers => 1052292 B
Edge => 30202732 B
Chrome => 299200051 B
Firefox => 25217014 B
Opera => 128944393 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 4238 B
LocalService => 152522 B
NetworkService => 1278980 B
Personale => 99448791 B
 
RecycleBin => 1821169 B
EmptyTemp: => 903.4 MB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 15-12-2017 23:27:03)
 
 
Result of scheduled keys to remove after reboot:
 
HKLM\System\CurrentControlSet\Services\avast! Antivirus => key could not remove, key could be protected
 
==== End of Fixlog 23:27:03 ====
 
Thank you so much for the help.

Edited by deedpull, 15 December 2017 - 11:58 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:06 PM

Posted 15 December 2017 - 01:30 PM

Has the problem been solved?

#5 deedpull

deedpull
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 15 December 2017 - 02:13 PM

Has the problem been solved?

 

Until now, there is no problem. Ram is running good, no sign of any errors.

 

Is there a way to know that my system is already healthy from that virus?

 

Can you suggest any good software to keep virus/worm away from my laptop?

 

Anyway thank you so much for the help man.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:06 PM

Posted 15 December 2017 - 02:38 PM

Hi,

All you need to know.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#7 deedpull

deedpull
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 15 December 2017 - 02:45 PM

Allright thank you man.

God bless you.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users