Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    GandCrab Devs Release Decryption Keys for Syrian Victims

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

Photo

Infected with Desktoplayer.exe and <filename>srv.exe

Started by ShadowOfTheDay , Mar 22 2018 07:12 AM

  • This topic is locked This topic is locked
24 replies to this topic

#1 ShadowOfTheDay

ShadowOfTheDay

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Turkey
  • Local time:02:42 AM

Posted 22 March 2018 - 07:12 AM

Hey. Unfortunately I have been infected with this Ramnit(?) for over a year now, and sometimes it feels like it's just a useless virus sitting there, while other times it feels like somehow the beast is awakened, creating a *srv.exe of every single .exe I run, and constantly opens Chrome tabs whenever a .exe runs. It's been like this for a whole year, and it actually remained quiet for most of the time.

 

But recently I reformatted my C disk, and of course the Desktoplayer is still there, and apparently the reformat had awakened it. It's back opening browsers and creating *srv.exe's.

 

Please read this thread https://www.bleepingcomputer.com/forums/t/336044/infected-with-desktoplayerexe-srvexe-virus/ as the person who had created that thread explained this virus thing pretty accurately, and I'm having the exact same symptoms. I also did a lot of what he tried to do too, did every way I could think of to get rid of this damn Ramnit but of course, I lost.

The only current difference is the location of Desktoplayer.exe. It used to create itself in C:\Program Files\Microsoft\Destoplayer.exe but after I tried to rename Desktoplayer.exe and change some permissions in attempt to make it stop executing, it recreated itself in C:\Users\<myusername>\Microsoft\Desktoplayer.exe

 

Of course I've tried tens of malware programs, they all detect the file and claim to have quarantined/fixed it but obviously they couldn't.

I was going to try some scans in Safe Mode but I thought I'll just ask for your help before doing anything.

Oh just a small note, from the thread I've linked and my experience with this Ramnit, it's a one hell of a virus that's ridiculously difficult to remove. So it's gonna probably take a lot of time and effort.

 

I will wait until advised on what to do next. I've seen people claiming that this virus may be stealing personal information, but I've had it for more than a year now so if it had stolen anything I would've most definitely noticed. 

P.S: My brother's laptop is also infected with this thing. Should I follow what you instruct me to do on this laptop, on his laptop too? Or shall I tell him to create another thread?

 

 

Thank you in advance. Here are the FRST.txt and Addition.txt

 

FRST.txt:

Spoiler

 

Addition.txt:

Spoiler


BC AdBot (Login to Remove)

 

#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:42 PM

Posted 22 March 2018 - 08:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Winlogon: [Userinit] userinit.exe,c:\program files (x86)\microsoft\desktoplayer.exe
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR HomePage: Default -> hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBEQo0lOCwIxrzs2Rcb6iYzGZUPVTFL1sFLQyq3KgDxdxe018PxDU44QCtWa2hqIOPxM-3JTrIWWyoOp8Gzh-pjEuuOmC_2umfS-4hkjZGM6p1kqj-Wmk1hKIlxwQSVD6XAlWtHj2QJITG9nqnjUDIU2jsbKgKEPAlqG3J1pgDGB6Y6GvfEEkFabILFO325xw,,

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
---

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please let me know what problem persists with this computer.

#3 ShadowOfTheDay

ShadowOfTheDay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Turkey
  • Local time:02:42 AM

Posted 22 March 2018 - 10:11 AM

Done. But I've noticed that you included c:\program files (x86)\microsoft\desktoplayer.exe in the Fixlist even though this doesn't exist apparently.

Desktoplayer.exe is currently located in C:\Users\Astronomy\Microsoft\Desktoplayer.exe as I've stated in the original thread.

 

Chrome reset as well.

 

Here's Fixlog.txt

Spoiler

 

Thank you!


Edited by ShadowOfTheDay, 22 March 2018 - 10:12 AM.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:42 PM

Posted 23 March 2018 - 07:14 AM

Hi,

It was started with the Winlongon. It has been stopped.

You can delete these files in bold.

c:\program files (x86)\microsoft\desktoplayer.exe
C:\Users\Astronomy\Microsoft\Desktoplayer.exe
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#5 ShadowOfTheDay

ShadowOfTheDay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Turkey
  • Local time:02:42 AM

Posted 24 March 2018 - 07:20 PM

Hey,

 

Thank you very much for the help!

It seems like it's been stopped for now. Usually deleting the Desktoplayer.exe kind of "awakens" the virus. I'm gonna go ahead and delete it (and the *Srv.exe files). I cannot find it in C:\Program Files (x86)\Microsoft but I've found the C:\Users one and removed it.

If any more problems persist, I'll let you know.

 

Thanks again!

 

Update: Apparently it's still active, creating *Srv.exe files. I just tried running a game and it immediately opened a Chrome tab as it used to and created the *Srv.exe file. I went back to C:\Users\Astronomy\Microsoft and found Desktoplayer.exe created again. Please advise.


Edited by ShadowOfTheDay, 24 March 2018 - 07:27 PM.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:42 PM

Posted 30 March 2018 - 07:44 AM


Hi,

I apologize for this long delay.

If you are still with me lets continue.


:step1:
Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

:step2:
Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

:step3:
Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs for my review.

Let me know what problems persists.
==============================

#7 ShadowOfTheDay

ShadowOfTheDay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Turkey
  • Local time:02:42 AM

Posted 31 March 2018 - 04:29 PM

Hey there.

 

No worries, I was busy the past few days myself.

Alright first here's the log from Malwarebytes. Apparently this DriverTalent program was a problem lol. Had to use it after I formatted because I had a very hard time finding the drivers for my laptop (it also detected the desktoplayer as a worm.. never did that before).

Spoiler

 

And here's the AdwCleaner log:

Spoiler

 

Here is the FRST.txt:

Spoiler

 

And I have attached the Addition.txt log as you requested. Also feel free to take your time :]

Thank you.

Attached Files


Edited by ShadowOfTheDay, 31 March 2018 - 04:32 PM.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:42 PM

Posted 01 April 2018 - 07:16 AM

Hi

Looking better.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

S3 VGPU; System32\drivers\rdvgkmd.sys [X]
FirewallRules: [{DD7FBE80-CF10-46E8-B028-741085D35E2D}] => (Allow) C:\Program Files (x86)\OSTotoSoft\DriverTalent\DriverTalent.exe
FirewallRules: [{4BC8A7D1-41E8-4BF2-9356-7F58429375B9}] => (Allow) C:\Program Files (x86)\OSTotoSoft\DriverTalent\DTLService.exe
FirewallRules: [{5C5F12C2-EE52-4EE9-A444-B10744737944}] => (Allow) C:\Program Files (x86)\OSTotoSoft\DriverTalent\download\MiniThunderPlatform.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended. (You need to check with Internet Explorer) <- Important.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 131 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180131F0}) (Version: 8.0.1310.11 - Oracle Corporation)
===

Please let me know what problem persists with this computer.

#9 ShadowOfTheDay

ShadowOfTheDay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Turkey
  • Local time:02:42 AM

Posted 01 April 2018 - 12:12 PM

Hey,

 

Okay I've done the FRST fix, here's the Fixlog.txt:

Spoiler

 

I've also uninstalled the Java I had, and downloaded the most recent one.

Let me know when the problem seems to have been fixed, so I try running some applications/games that always create the Desktoplayer.

By the way I've been having a problem of the LAN driver not loading up unless I restart my laptop a 2nd time, it's been happening ever since I formatted my laptop (like 3 weeks ago), can we try to solve that in this thread (after we're done with Desktoplayer) or should I create a new one?

 

Thanks!


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:42 PM

Posted 02 April 2018 - 07:15 AM

Hi,

Do a registrynRegistry search

Run the Farbar program .exe as an Administrator.

Copy and Paste the following in the Search text area,

DesktopLayer.exe

Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====

p.s. Do you know which program installs this Win32.Ramnit malware?

Will deal with the LAN after.

#11 ShadowOfTheDay

ShadowOfTheDay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Turkey
  • Local time:02:42 AM

Posted 02 April 2018 - 04:41 PM

Hey there,

 

Here's the log from the registry scan:

 

Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by Astronomy (03-04-2018 00:36:06)
Running from C:\Users\Astronomy\Desktop
Boot Mode: Normal
 
================== Search Registry: "DesktopLayer.exe" ===========
 
[HKEY_USERS\S-1-5-21-3396332571-2748628541-2424829021-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\Astronomy\Microsoft\DesktopLayer.exe"="BitDefender Management Console"
 
====== End of Search ======
 
 
And I don't know which program, but a lot of the executable files on the D:\ disk such as games or certain programs create the ramnit. These are all old files so I'm guessing they've been infected ever since I received this ramnit. There's plenty of them so I'm trying to avoid having to delete all of them, but that might ultimately be the solution..
 
Thank you!

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:42 PM

Posted 03 April 2018 - 06:35 AM

Hi,

I would not run any of the files on your removable or backup drives.

https://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-2056-99

If you need to do it scan the file at Virus total to find out if it's infected.
https://www.virustotal.com/#/home/upload
===

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-3396332571-2748628541-2424829021-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\Astronomy\Microsoft\DesktopLayer.exe"=-


Restart the computer when completed.

You can delete the fixme.reg file when done.
===

#13 ShadowOfTheDay

ShadowOfTheDay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Turkey
  • Local time:02:42 AM

Posted 03 April 2018 - 08:54 AM

Hey,

 

Okay I've done the registry fix and rebooted.

 

I used VirusTotal and scanned pretty much every .exe on the D disk (took me a while, phew) and many of them were infected with ramnits, so I went ahead and removed the whole games/programs rather than the .exe's only and I'm now redownloading them. But here's the thing, one of the games I have (a Call of Duty) is almost guaranteed to create a *Srv.exe of it every time I ran it before, but VirusTotal did not detect anything in it, 100% clean.

I want to run the .exe but I need the green light from you to do so. I mean if there's any more additional fixes we can do to make sure we've deleted this ramnit then let's do it before taking the risk to run the game's .exe so please advise.

 

Oh and one of the files scanned clean except for Bkav detecting W64.HfsAutoB.54FD in it. Is that anything I should be concerned about? I really prefer not deleting this file, so if this detection isn't dangerous I'd rather keeping it.

 

I also used Symantec's ramnit removal tool and it removed/fixed plenty of .html's and some .exe's and .dll's infected with ramnits. I have the fix log for that if you need it.

 

Thank you very much!


Edited by ShadowOfTheDay, 03 April 2018 - 08:56 AM.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:42 PM

Posted 03 April 2018 - 12:39 PM



Hi,

I have (a Call of Duty) is almost guaranteed to create a *Srv.exe of it every time I ran it before, but VirusTotal did not detect anything in it, 100% clean.

I want to run the .exe but I need the green light from you to do so. I mean if there's any more additional fixes we can do to make sure we've deleted this ramnit then let's do it before taking the risk to run the game's .exe so please advise.


I would not run it just yet.

I would download a fresh copy from the mailn site.
Check the downloaded file at Virus total and if clean then that a change to install it.
Your call.


Oh and one of the files scanned clean except for Bkav detecting W64.HfsAutoB.54FD in it. Is that anything I should be concerned about? I really prefer not deleting this file, so if this detection isn't dangerous I'd rather keeping it.


If it's something like this I would not worry about it.

https://www.virustotal.com/fr/file/495902c9fcc7a3e08e2bc2781497de169c5d874eb2c2471f5cd69b27d18088ee/analysis/1454884330/
===

Keep me posted.

#15 ShadowOfTheDay

ShadowOfTheDay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Turkey
  • Local time:02:42 AM

Posted 04 April 2018 - 07:51 AM

Hey,

 

Okay never mind I removed that Call of Duty for good, I don't play it anymore anyway.

And yes the file I told you about is exactly like the link you posted. So I'm gonna keep it (yay!)

 

I searched my computer for *Srv.exe and Desktoplayer and I got nothing, so I suppose it's gone for now.

I think this ramnit's problem is lurking in a .exe, and when that .exe is opened it just spreads all over again. I'm gonna be careful about the new .exe's I get and scan them before opening.

 

Any more scans I'm recommended to do?

Thank you very much!


Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·