Jump to content

Wermgr.exe Trojan Need Help

SurfaceProfessional64x
 Share

Recommended Posts

SurfaceProfessional64x

SurfaceProfessional64x

Posted
Posted

Hi, 

 

I own a Surface Pro 4 that is infected with a malware that i detected myself on Process Explorer calling a remote host under Task scheduler svchost process as wermgr.exe, I don't do much browsing the web.. only to download software from their official sites, kept the Surface Pro offline most times until i check for Windows updates.

 

I found out that this piece of malware is running as Administrator (bypass UAC) since i use Standard account at all times, and i use pin as linked to my Admin account for the logon credentials rather than the password itself. 

 

This might be a new piece of malware that was hidden in %Appdata% with a signed author and only detected by one antivirus company: Cylance on Virustotal as "unsafe". There are linked dll files that are detected by the same company as "unsafe" 

 

  • 3 Files: xxx.tmp.exe - only 1 file uploaded to VirusTotal [e44f34094d79f7a95d67e373416fc917d6231c9bfceee38f915c219fd18b9ee5]
  • The Windows.Security.Authentication.Onlineid.dll 
  • udwm.dll 
  • Mswsock.dll
  • RunCampaignManager (Windows\UNP)
  • Appuniverifierinstall

 

Wermgr.exe is constantly sending TCP requests to the following domain, I cant seem to find anything in Task Scheduler.

 

I have been on the forum in the past with problems on the same Surface Pro, 5 reformats in the past year in a half. I take really good care with my devices.

 

Another suspicious is WinStore.App.exe that keeps running when its never been touched since the reformat. I don't use a Microsoft Account.

 

Here is the Farbar Recovery Scan Tool (FRST) logs 

 

IMG_5979.JPG

Link to post
Share on other sites
  • Replies 60
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

Hello @SurfaceProfessional64x

Sorry for the delay.

 

The file is 1/64 on VirusTotal very unlikely an infected file, but the method being used is probably from a threat.

https://virustotal.com/en/file/e44f34094d79f7a95d67e373416fc917d6231c9bfceee38f915c219fd18b9ee5/analysis/

Copyright
Copyright © Kai Liu. All rights reserved.
Original name elevate.exe
File version 1.4.0.0
Description Command-Line UAC Elevation Utility

 

Can you please locate and  zip this file up and attach for me with a password of "infected"

{0788F9AC-50B1-43CB-A408-2E4D80C72DE9}.exe

The log shows it should be in this folder: 

C:\Users\Lucadmin\AppData\Local\Temp\{35E04D6A-4BFC-4062-B1D0-3B2A2B30003A}

 

Did you install Putty yourself ?  I see it's installed.

 

ATTENTION: System Restore is disabled. Please look at enabling System Restore. If you need help on how to do please let me know.

 

Thanks

Ron

 

 

Edited by AdvancedSetup
Link to post
Share on other sites
SurfaceProfessional64x

SurfaceProfessional64x

Posted
  • Author
Posted

Thanks for your reply, I should of added the details off VirusTotal.. Sorry for that..

I had to login as Administrator to access %Appdata%, the folder is shown but it is empty from the mouse over view (I assume Administrator is not assigned, which I can not see what it contains.)

I believe the Administrator permissions are not assigned to this folder, Should I click continue to access the UAC prompt?

Yes, I use Putty for SSHing into my Raspberry Pies 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Microsoft just hides those folder and file locations by default (no one knows why they chose those defaults) - you need to enable them to see those locations.

https://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Please give that a try.

Ron

 

Link to post
Share on other sites
SurfaceProfessional64x

SurfaceProfessional64x

Posted
  • Author
Posted (edited)

It was already set to enabled awhile ago, I'm receiving this access denied message, tried taking ownership of the folder, not working.

Would FileAssassin tool help with this? I haven't used it before.

The owner was "SURFPRO4\Administrator" before i changed it to "SURFPRO4\Lucadmin"

 

Capture2.PNG

Edited by SurfaceProfessional64x
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

There are a few ways we can look at getting this file. I'd rather not have to mess with lock, unlock, permissions, etc if we can avoid it.
Let me have you try the following tool and see if it can copy the file for us.

RawCopy      
Please visit this site and on the right hand should be a green button with a little down arrow indicator Click that and select "Download Zip" and save the file to your computer.
Then open that file and extract the contents to a new folder. An example would be C:\RawCopy

The click on your Start menu and locate the Command Prompt and run it with elevated Admin rights. Then from the command prompt change directory into the new folder you created.

CD /D C:\RawCopy

Then type the following exactly and press the Enter key 

rawcopy64.exe /FileNamePath:"C:\Users\Lucadmin\AppData\Local\Temp\{35E04D6A-4BFC-4062-B1D0-3B2A2B30003A}\{0788F9AC-50B1-43CB-A408-2E4D80C72DE9}.exe" /OutputPath:C:\Users\Lucadmin\Desktop  /OutputName:samplebadfile.txt

 

Or if you like, download the file RawCopy, extract it to C:\RawCopy and then run the following fix to have it run the command for you. Then zip the file and upload it to me on your next reply.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

 

 

fixlist.txt

Then on your desktop find and upload this file:  samplebadfile.txt

 

If you need further directions please let me know.

 

 

Edited by AdvancedSetup
Link to post
Share on other sites
SurfaceProfessional64x

SurfaceProfessional64x

Posted
  • Author
Posted

Both methods came back with "Warning: File not found with regular file search: C:\Users\Lucadmin\AppData\Local\Temp\{35E04D6A-4BFC-4062-B1D0-3B2A2B30003A}\{0788F9AC-50B1-43CB-A408-2E4D80C72DE9}.exe"

Popup saying I can only upload 29.3 MB file, samplebadfile is 565 MB, tried to compress it into a .Zip (59.8 MB) Not sure if it collected anything in the locked folder.
 

Fixlog.txt

Link to post
Share on other sites
SurfaceProfessional64x

SurfaceProfessional64x

Posted
  • Author
Posted

My account has full control as shown in the image in my previous post, but it is still telling me that i need Read permissions... they are all enabled.

The permission entries were already like that by default, the other option i can think of is to create a new account with admin privileges and add the account to the security permissions with full access.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

We can get to the file from within the Recovery Environment. You'll need a USB stick or drive and try the following.

 

Pease download Farbar Recovery Scan Tool and save it to a USB flash drive.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit

Plug the flash drive into the infected PC and start the computer into the Recovery Options for Command Prompt.

Windows Vista, 7

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

Windows 8, 8.1
Please see
How to use the Windows 8 System Recovery Environment Command Prompt

Windows 10
Please see
How to Start Windows 10 in Safe Mode with Command Prompt

How to Boot to Advanced Startup Options in Windows 10

Note: In case you can not enter System Recovery Options by using F8 method, you can use a Windows installation disc, or make a repair disc.
Any Windows installation disc or a repair disc made on another computer can be used.
Choose one of the options below to download and create a Windows Repair Disk or Installation Disk. Either one can be used.

How to Create a Windows 7 System Repair Disc
How to Create a System Repair Disc in Windows 10
Microsoft Windows and Office ISO Download Tool

You may also download from Microsoft but you will need to input your license key first. The above links do not require your key

Download Windows 7 Disc Images (ISO Files)
Download Windows 8.1
Download Windows 10

 

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • Notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

 

 

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

Are you proficient enough with Windows or DOS command prompt to go check for that file now from the Recovery Environment?

 

See if you can find any files in this folder and let me know what you find. Looking mainly for executable files.

C:\Users\Lucadmin\AppData\Local\Temp\{35E04D6A-4BFC-4062-B1D0-3B2A2B30003A}

 

Edited by AdvancedSetup
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

Great, try this please. Then see if you can upload that file.  c:\badfile.txt

 

copy    C:\Users\Lucadmin\AppData\Local\Temp\{7E2B9CC4-C7C1-45D0-AC2B-FF40DAC06B22}\{0EF1211C-E763-4F69-977A-9215949F0858}.exe        c:\badfile.txt

 

Edited by AdvancedSetup
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Wow, that makes no sense at all. That file is the Kaspersky TDSS rootkit detection and removal tool.

https://www.virustotal.com/#/file/1d410ca508264c971b2e9d2a9ec6e87dc09597ef3a3c383e86a009e5a1da9cf8/detection

I have no idea why that file would be there or being called like that. Let's go ahead then and do some clean up on your computer.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

 

fixlist.txt

 

Thanks

Ron

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.