FLau

Thank you a lot for your help! I consider the adware to be removed for now! Thanks again & have a nice day Flau

Hi! Here is the fixlog. The mentioned entries are gone after a re-scan. I assume that fixes my problem. The only entry that remains and might be related is: Task: {8B430336-0EB3-416C-99BD-FF2263676703} - System32\Tasks\Windows Remote Disc => H:\Node\\node.exe [54800536 2020-04-29] (Node.js Foundation -> Node.js) -> "C:\ProgramData\Package Cache\{EE3E61FE-9C8D-4547-93F4-E6196313161D}\{80BDB538-79F6-4E58-88DE-53175C4C23B6}" But Farbar doesnt seem to identify it as a threat. Thank you for your help! Sincerely Flau Fixlog.txt

Hi! The following entries are questionable (FRST): Task: {73D75DFB-83C6-4372-8FA4-556CB6311BE8} - System32\Tasks\Intel(R)ContentKryptografiedienste => C:\Program Files (x86)\nodejs\node.exe -> C:\Windows\Installer\{8FF87EC6-8533-43AC-B0E9-0D4FCA0F3221}\{720A740F-4050-4BFD-B1D2-C325A30C496E} <==== ATTENTION Task: {AEDE2296-48D8-4036-A05F-1B035F691FD2} - System32\Tasks\Windows-AudioProtokollOfflinedateien => C:\Program Files\nodejs\node.exe -> C:\Windows\Installer\{95B63FA7-ED33-4E29-A708-0EF5B0306002}\{7AFB5CBB-AD8E-4A99-AC34-13CB5B160D9E} <==== ATTENTION Additions: FirewallRules: [TCP Query User{5C412A38-68F2-4431-A2C1-6AEC397336FD}C:\program files\lghub\lghub_agent.exe] => (Allow) C:\program files\lghub\lghub_agent.exe => No File FirewallRules: [UDP Query User{DAB571FF-E702-4961-BDB4-B2B8AD980C26}C:\program files\lghub\lghub_agent.exe] => (Allow) C:\program files\lghub\lghub_agent.exe => No File FirewallRules: [TCP Query User{AA36D589-2BEB-4EE1-9148-2AC374355ABC}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File FirewallRules: [UDP Query User{010D1AAA-A778-4CFF-8D76-3DA3B9BB9178}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File Sincerely, Flau Addition.txt FRST.txt

I have edited the registry like you said and the problem is currently not there. However, the "suspicious entries" marked with "ATTENTION" from farbar still remain when I scan the system. Sincerely & Thank you for your help Flau

Hi! Yesterday evening I did another scan with the Farbar tool and looked at the FRST a bit longer an identified a few entries that I removed manually: Task: {8B430336-0EB3-416C-99BD-FF2263676703} - System32\Tasks\Windows Remote Disc => H:\Node\\node.exe [54800536 2020-04-29] (Node.js Foundation -> Node.js) -> "C:\ProgramData\Package Cache\{EE3E61FE-9C8D-4547-93F4-E6196313161D}\{80BDB538-79F6-4E58-88DE-53175C4C23B6}" Task: {AEDE2296-48D8-4036-A05F-1B035F691FD2} - System32\Tasks\Windows-AudioProtokollOfflinedateien => C:\Program Files\nodejs\node.exe -> C:\Windows\Installer\{95B63FA7-ED33-4E29-A708-0EF5B0306002}\{7AFB5CBB-AD8E-4A99-AC34-13CB5B160D9E} <==== ATTENTION Task: {73D75DFB-83C6-4372-8FA4-556CB6311BE8} - System32\Tasks\Intel(R)ContentKryptografiedienste => C:\Program Files (x86)\nodejs\node.exe -> C:\Windows\Installer\{8FF87EC6-8533-43AC-B0E9-0D4FCA0F3221}\{720A740F-4050-4BFD-B1D2-C325A30C496E} <==== ATTENTION I also removed the AndyImagesInstall and AndyPreInstall manually from the windows installer folder. The files are gone now but those entries remain. I also uninstalled node.js and reinstalled it at a different location (I need it for work). Since then, I had no more warnings from MalwareByte. I assume the only reason I don't get new warnings is the fact that I installed node on my H-partition. Those 2 are still a bit strange to me (additions.txt): FirewallRules: [TCP Query User{AA36D589-2BEB-4EE1-9148-2AC374355ABC}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File FirewallRules: [UDP Query User{010D1AAA-A778-4CFF-8D76-3DA3B9BB9178}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File Nonetheless, I still attached the files! Sincerely Flau SearchReg.txt

Hi! I know where those apps are from. That's where I got the virus from in the first place. Those programs are sadly not listed in the Control panel, otherwise I would have removed them already. In-fact, I removed ALL programs I installed since I got that nasty virus. Sincerely, Flau

Hi! Unfortunately, the quarantine folder is empty, therefore I cannot restore any file and the problem remains. I skimmed through the additions.txt and found two entries of the software that originally caused the problem: AndyImagesInstall (HKLM\...\{3EBE5CF7-02CA-4187-83A2-FCA61F8863EB}) (Version: 47.0.260 - Andy OS Inc.) Hidden AndyPreInstall (HKLM\...\{C89FF20F-BE49-461E-83EC-E9AC933C0C1F}) (Version: 47.0.260 - Andy OS Inc.) Hidden Might it be a good idea to remove those too? Greetings Flau

Hello! Thanks for your assistance. Unfortunately, the situation hasn't changed and MalwareBytes still detected and blocked the same two applications as before. After that I also signed out of my Firefox and restarted my computer again. Unfortunately, the problem remains and the two applications showed up again. Sincerely Flau Fixlog.txt

Hi, I recently downloaded and installed some Android emulator named "Andy" or a German version of "Audacity". Unfortunately, the .exe also installed all kinds of other Software on my Windows 7 system. I removed most of the unwanted Software but one problem remained: A search result hijacker for every browser was part of the package. It replaces the top 4 results with some cryptic redirect links that are luckily displayed in a different font, otherwise I wouldn't have noticed at all. I tracked the issue down to an add-on in Firefox/Chrome that I cannot remove. MalwareByte can, but the Add-on always reinstalls itself after a PC restart. The Malware infects my Node.js installation and tries to download and reinstall all the components MalwareByte removes. Here is the detail of the trojan: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 04/12/2020 Protection Event Time: 08:30 Log File: a40458c0-3602-11eb-aea1-00ff69844060.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1122 Update Package Version: 1.0.33848 Licence: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files\nodejs\node.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Trojan Domain: de.mynodejs.net IP Address: 172.67.202.103 Port: 80 Type: Outbound File: C:\Program Files\nodejs\node.exe (end) However, there is another component. Like clockwork there appears an .exe file in my Windows\Temp folder that executes itself and tries a similar thing as the infected Node.js. Here is the correspondi9ng log entry: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 04/12/2020 Protection Event Time: 08:23 Log File: ab94aee2-3601-11eb-b9df-00ff69844060.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1122 Update Package Version: 1.0.33828 Licence: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Blocked Malware Details- File: 1 Malware.AI.1792791521, C:\Windows\Temp\8a24130b-0e49-bdb4-1910-164f3aaf6cb8\7e34ad56-75bd-a3b8-8e9d-685c2aae25c7.exe, Quarantined, 1000000, 0, 1.0.33828, 5968C09775D709B36ADBD3E1, dds, 01012108, F1B044E9C52A9E2F60051D39000CC046, B140231893C88C5D7F9697E5451AE17D69A94688D8FDF1CBE00C9D4794F34D17 (end) The hashes/name are always a bit different. I have no idea what else that adware infected, but it seems to be so deeply ingrained into my system that I cannot get rid of it. I tried basically all anti malware tools (MSERT.exe, tdsskiller, adwCleaner, SuperAntiSpywarePro, Avira, MalwareBytes, Spybot...). By now I am out of ideas. Any suggestion is very much appreciated! Edit: I also attached the logs from the Farbar Recovery Scan. I have regularly deleted the temp files before though. The Malwarebytes Scan doesn't yield anything but the 2 quarantined elements I posted above. Sincerely Flau Addition.txt FRST.txt

Thank you very much, will do!

Hi, I recently downloaded and installed some Android emulator named "Andy" or a German version of "Audacity". Unfortunately, the .exe also installed all kinds of other Software on my Windows 7 system. I removed most of the unwanted Software but one problem remained: A search result hijacker for every browser was part of the package. It replaces the top 4 results with some cryptic redirect links that are luckily displayed in a different font, otherwise I wouldn't have noticed at all. I tracked the issue down to an add-on in Firefox/Chrome that I cannot remove. MalwareByte can, but the Add-on always reinstalls itself after a PC restart. The Malware infects my Node.js installation and tries to download and reinstall all the components MalwareByte removes. Here is the detail of the trojan: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 04/12/2020 Protection Event Time: 08:30 Log File: a40458c0-3602-11eb-aea1-00ff69844060.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1122 Update Package Version: 1.0.33848 Licence: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files\nodejs\node.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Trojan Domain: de.mynodejs.net IP Address: 172.67.202.103 Port: 80 Type: Outbound File: C:\Program Files\nodejs\node.exe (end) However, there is another component. Like clockwork there appears an .exe file in my Windows\Temp folder that executes itself and tries a similar thing as the infected Node.js. Here is the correspondi9ng log entry: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 04/12/2020 Protection Event Time: 08:23 Log File: ab94aee2-3601-11eb-b9df-00ff69844060.json -Software Information- Version: 4.2.3.96 Components Version: 1.0.1122 Update Package Version: 1.0.33828 Licence: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Blocked Malware Details- File: 1 Malware.AI.1792791521, C:\Windows\Temp\8a24130b-0e49-bdb4-1910-164f3aaf6cb8\7e34ad56-75bd-a3b8-8e9d-685c2aae25c7.exe, Quarantined, 1000000, 0, 1.0.33828, 5968C09775D709B36ADBD3E1, dds, 01012108, F1B044E9C52A9E2F60051D39000CC046, B140231893C88C5D7F9697E5451AE17D69A94688D8FDF1CBE00C9D4794F34D17 (end) The hashes/name are always a bit different. I have no idea what else that adware infected, but it seems to be so deeply ingrained into my system that I cannot get rid of it. I tried basically all anti malware tools (MSERT.exe, tdsskiller, adwCleaner, SuperAntiSpywarePro, Avira, MalwareBytes, Spybot...). By now I am out of ideas. Any suggestion is very much appreciated! Sincerely Flau