SurfaceProfessional64x Posted August 7, 2017 ID:1150474 Share Posted August 7, 2017 Hi, I own a Surface Pro 4 that is infected with a malware that i detected myself on Process Explorer calling a remote host under Task scheduler svchost process as wermgr.exe, I don't do much browsing the web.. only to download software from their official sites, kept the Surface Pro offline most times until i check for Windows updates. I found out that this piece of malware is running as Administrator (bypass UAC) since i use Standard account at all times, and i use pin as linked to my Admin account for the logon credentials rather than the password itself. This might be a new piece of malware that was hidden in %Appdata% with a signed author and only detected by one antivirus company: Cylance on Virustotal as "unsafe". There are linked dll files that are detected by the same company as "unsafe" 3 Files: xxx.tmp.exe - only 1 file uploaded to VirusTotal [e44f34094d79f7a95d67e373416fc917d6231c9bfceee38f915c219fd18b9ee5] The Windows.Security.Authentication.Onlineid.dll udwm.dll Mswsock.dll RunCampaignManager (Windows\UNP) Appuniverifierinstall Wermgr.exe is constantly sending TCP requests to the following domain, I cant seem to find anything in Task Scheduler. I have been on the forum in the past with problems on the same Surface Pro, 5 reformats in the past year in a half. I take really good care with my devices. Another suspicious is WinStore.App.exe that keeps running when its never been touched since the reformat. I don't use a Microsoft Account. Here is the Farbar Recovery Scan Tool (FRST) logs Link to post Share on other sites More sharing options...
SurfaceProfessional64x Posted August 7, 2017 Author ID:1150479 Share Posted August 7, 2017 (edited) Addition.txt FRST.txt Edited August 7, 2017 by SurfaceProfessional64x Link to post Share on other sites More sharing options...
SurfaceProfessional64x Posted August 9, 2017 Author ID:1151216 Share Posted August 9, 2017 Hello? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 9, 2017 Root Admin ID:1151261 Share Posted August 9, 2017 (edited) Hello @SurfaceProfessional64x Sorry for the delay. The file is 1/64 on VirusTotal very unlikely an infected file, but the method being used is probably from a threat. https://virustotal.com/en/file/e44f34094d79f7a95d67e373416fc917d6231c9bfceee38f915c219fd18b9ee5/analysis/ Copyright Copyright © Kai Liu. All rights reserved. Original name elevate.exe File version 1.4.0.0 Description Command-Line UAC Elevation Utility Can you please locate and zip this file up and attach for me with a password of "infected" {0788F9AC-50B1-43CB-A408-2E4D80C72DE9}.exe The log shows it should be in this folder: C:\Users\Lucadmin\AppData\Local\Temp\{35E04D6A-4BFC-4062-B1D0-3B2A2B30003A} Did you install Putty yourself ? I see it's installed. ATTENTION: System Restore is disabled. Please look at enabling System Restore. If you need help on how to do please let me know. Thanks Ron Edited August 9, 2017 by AdvancedSetup Link to post Share on other sites More sharing options...
SurfaceProfessional64x Posted August 9, 2017 Author ID:1151304 Share Posted August 9, 2017 Thanks for your reply, I should of added the details off VirusTotal.. Sorry for that.. I had to login as Administrator to access %Appdata%, the folder is shown but it is empty from the mouse over view (I assume Administrator is not assigned, which I can not see what it contains.) I believe the Administrator permissions are not assigned to this folder, Should I click continue to access the UAC prompt? Yes, I use Putty for SSHing into my Raspberry Pies Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 9, 2017 Root Admin ID:1151396 Share Posted August 9, 2017 Microsoft just hides those folder and file locations by default (no one knows why they chose those defaults) - you need to enable them to see those locations. https://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Please give that a try. Ron Link to post Share on other sites More sharing options...
SurfaceProfessional64x Posted August 10, 2017 Author ID:1151571 Share Posted August 10, 2017 (edited) It was already set to enabled awhile ago, I'm receiving this access denied message, tried taking ownership of the folder, not working. Would FileAssassin tool help with this? I haven't used it before. The owner was "SURFPRO4\Administrator" before i changed it to "SURFPRO4\Lucadmin" Edited August 10, 2017 by SurfaceProfessional64x Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 10, 2017 Root Admin ID:1151875 Share Posted August 10, 2017 (edited) There are a few ways we can look at getting this file. I'd rather not have to mess with lock, unlock, permissions, etc if we can avoid it. Let me have you try the following tool and see if it can copy the file for us. RawCopy Please visit this site and on the right hand should be a green button with a little down arrow indicator Click that and select "Download Zip" and save the file to your computer. Then open that file and extract the contents to a new folder. An example would be C:\RawCopy The click on your Start menu and locate the Command Prompt and run it with elevated Admin rights. Then from the command prompt change directory into the new folder you created. CD /D C:\RawCopy Then type the following exactly and press the Enter key rawcopy64.exe /FileNamePath:"C:\Users\Lucadmin\AppData\Local\Temp\{35E04D6A-4BFC-4062-B1D0-3B2A2B30003A}\{0788F9AC-50B1-43CB-A408-2E4D80C72DE9}.exe" /OutputPath:C:\Users\Lucadmin\Desktop /OutputName:samplebadfile.txt Or if you like, download the file RawCopy, extract it to C:\RawCopy and then run the following fix to have it run the command for you. Then zip the file and upload it to me on your next reply. Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt Then on your desktop find and upload this file: samplebadfile.txt If you need further directions please let me know. Edited August 10, 2017 by AdvancedSetup Link to post Share on other sites More sharing options...
SurfaceProfessional64x Posted August 11, 2017 Author ID:1151965 Share Posted August 11, 2017 Both methods came back with "Warning: File not found with regular file search: C:\Users\Lucadmin\AppData\Local\Temp\{35E04D6A-4BFC-4062-B1D0-3B2A2B30003A}\{0788F9AC-50B1-43CB-A408-2E4D80C72DE9}.exe" Popup saying I can only upload 29.3 MB file, samplebadfile is 565 MB, tried to compress it into a .Zip (59.8 MB) Not sure if it collected anything in the locked folder. Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 11, 2017 Root Admin ID:1151983 Share Posted August 11, 2017 Go ahead and take ownership of that folder and add your account to FULL access. Then see if you can get in and find the executable file If you need help on that let me know please. Link to post Share on other sites More sharing options...
SurfaceProfessional64x Posted August 11, 2017 Author ID:1151990 Share Posted August 11, 2017 My account has full control as shown in the image in my previous post, but it is still telling me that i need Read permissions... they are all enabled. The permission entries were already like that by default, the other option i can think of is to create a new account with admin privileges and add the account to the security permissions with full access. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 11, 2017 Root Admin ID:1152007 Share Posted August 11, 2017 We can get to the file from within the Recovery Environment. You'll need a USB stick or drive and try the following. Pease download Farbar Recovery Scan Tool and save it to a USB flash drive. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Plug the flash drive into the infected PC and start the computer into the Recovery Options for Command Prompt. Windows Vista, 7 To enter System Recovery Options from the Advanced Boot Options: Restart the computer As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. Use the arrow keys to select the Repair your computer menu item. Select US as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account an click Next. Windows 8, 8.1 Please seeHow to use the Windows 8 System Recovery Environment Command Prompt Windows 10 Please seeHow to Start Windows 10 in Safe Mode with Command Prompt How to Boot to Advanced Startup Options in Windows 10 Note: In case you can not enter System Recovery Options by using F8 method, you can use a Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used. Choose one of the options below to download and create a Windows Repair Disk or Installation Disk. Either one can be used. How to Create a Windows 7 System Repair DiscHow to Create a System Repair Disc in Windows 10Microsoft Windows and Office ISO Download Tool You may also download from Microsoft but you will need to input your license key first. The above links do not require your key Download Windows 7 Disc Images (ISO Files)Download Windows 8.1Download Windows 10 To enter System Recovery Options by using Windows installation disc: Insert the installation disc. Restart your computer. If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings. Click Repair your computer. Select US as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account and click Next. On the System Recovery Options menu you will get the following options: Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt Select Command Prompt Once in the Command Prompt: In the command window type in notepad and press Enter. Notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close notepad. In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to the disclaimer. Press the Scan button. It will make a log (FRST.txt) on the flash drive. Please attach it to your reply. Link to post Share on other sites More sharing options...
SurfaceProfessional64x Posted August 11, 2017 Author ID:1152026 Share Posted August 11, 2017 FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 11, 2017 Root Admin ID:1152029 Share Posted August 11, 2017 (edited) Are you proficient enough with Windows or DOS command prompt to go check for that file now from the Recovery Environment? See if you can find any files in this folder and let me know what you find. Looking mainly for executable files. C:\Users\Lucadmin\AppData\Local\Temp\{35E04D6A-4BFC-4062-B1D0-3B2A2B30003A} Edited August 11, 2017 by AdvancedSetup Link to post Share on other sites More sharing options...
SurfaceProfessional64x Posted August 11, 2017 Author ID:1152031 Share Posted August 11, 2017 Yea ok, will see if i can access it from both the cmd prompt and through notepad open dialog form your the step by step instructions. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 11, 2017 Root Admin ID:1152035 Share Posted August 11, 2017 From a COMMAND Prompt you should be able to run this command. DIR /A /S C:\Users\Lucadmin\AppData\Local\Temp > c:\tempfiles.txt Then upload the file C:\TEMPFILES.TXT Link to post Share on other sites More sharing options...
SurfaceProfessional64x Posted August 11, 2017 Author ID:1152041 Share Posted August 11, 2017 tempfiles.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 11, 2017 Root Admin ID:1152043 Share Posted August 11, 2017 (edited) Great, try this please. Then see if you can upload that file. c:\badfile.txt copy C:\Users\Lucadmin\AppData\Local\Temp\{7E2B9CC4-C7C1-45D0-AC2B-FF40DAC06B22}\{0EF1211C-E763-4F69-977A-9215949F0858}.exe c:\badfile.txt Edited August 11, 2017 by AdvancedSetup Link to post Share on other sites More sharing options...
SurfaceProfessional64x Posted August 11, 2017 Author ID:1152081 Share Posted August 11, 2017 (edited) 4.49 MB file... How to compress it below 29.3 MB? Im using 7Zip.. - "samplebadfile.zip" = 59.8MB (The first locked folder {35E04....}) seems to have something - "badfile.zip" = 4.46 MB (Second folder) {7E2B...} Edited August 11, 2017 by SurfaceProfessional64x Link to post Share on other sites More sharing options...
SurfaceProfessional64x Posted August 11, 2017 Author ID:1152101 Share Posted August 11, 2017 (edited) Oops silly me...4.49MB is below the Max file upload... locked with password you provided to me badfile.7z Typed it wrong.. Capital "I" not "i" Edited August 11, 2017 by SurfaceProfessional64x Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 11, 2017 Root Admin ID:1152105 Share Posted August 11, 2017 Sorry, if I gave you one I forgot. Normally we use "infected" but that did not work. Please send me the password and I'll check back on you again sometime tomorrow. Thank you again Ron Link to post Share on other sites More sharing options...
SurfaceProfessional64x Posted August 11, 2017 Author ID:1152106 Share Posted August 11, 2017 (edited) password: "Infected". thanks for the help so far Edited August 11, 2017 by SurfaceProfessional64x Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 11, 2017 Root Admin ID:1152249 Share Posted August 11, 2017 I have tried that password and it's not working for me. I even tried with the quote marks (not needed) and that too did not work. Currently can't open the file. Can you please verify the password again Thanks Ron Link to post Share on other sites More sharing options...
SurfaceProfessional64x Posted August 12, 2017 Author ID:1152370 Share Posted August 12, 2017 (edited) I replaced it with password infected. Lower case badfile.7z Edited August 12, 2017 by SurfaceProfessional64x Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 12, 2017 Root Admin ID:1152428 Share Posted August 12, 2017 Wow, that makes no sense at all. That file is the Kaspersky TDSS rootkit detection and removal tool. https://www.virustotal.com/#/file/1d410ca508264c971b2e9d2a9ec6e87dc09597ef3a3c383e86a009e5a1da9cf8/detection I have no idea why that file would be there or being called like that. Let's go ahead then and do some clean up on your computer. Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt Thanks Ron Link to post Share on other sites More sharing options...
Recommended Posts