Adware that Seems impossible to remove (but is blocked by your AI-tool)

[FLau]

Hi,

I recently downloaded and installed some Android emulator named "Andy" or a German version of "Audacity". Unfortunately, the .exe also installed all kinds of other Software on my Windows 7 system.

I removed most of the unwanted Software but one problem remained: A search result hijacker for every browser was part of the package. It replaces the top 4 results with some cryptic redirect links that are luckily displayed in a different font, otherwise I wouldn't have noticed at all.

I tracked the issue down to an add-on in Firefox/Chrome that I cannot remove. MalwareByte can, but the Add-on always reinstalls itself after a PC restart.
The Malware infects my Node.js installation and tries to download and reinstall all the components MalwareByte removes. Here is the detail of the trojan:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 04/12/2020
Protection Event Time: 08:30
Log File: a40458c0-3602-11eb-aea1-00ff69844060.json

-Software Information-
Version: 4.2.3.96
Components Version: 1.0.1122
Update Package Version: 1.0.33848
Licence: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\nodejs\node.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain: de.mynodejs.net
IP Address: 172.67.202.103
Port: 80
Type: Outbound
File: C:\Program Files\nodejs\node.exe

 

(end)

However, there is another component. Like clockwork there appears an .exe file in my Windows\Temp folder that executes itself and tries a similar thing as the infected Node.js. Here is the correspondi9ng log entry:
 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 04/12/2020
Protection Event Time: 08:23
Log File: ab94aee2-3601-11eb-b9df-00ff69844060.json

-Software Information-
Version: 4.2.3.96
Components Version: 1.0.1122
Update Package Version: 1.0.33828
Licence: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Malware Details-
File: 1
Malware.AI.1792791521, C:\Windows\Temp\8a24130b-0e49-bdb4-1910-164f3aaf6cb8\7e34ad56-75bd-a3b8-8e9d-685c2aae25c7.exe, Quarantined, 1000000, 0, 1.0.33828, 5968C09775D709B36ADBD3E1, dds, 01012108, F1B044E9C52A9E2F60051D39000CC046, B140231893C88C5D7F9697E5451AE17D69A94688D8FDF1CBE00C9D4794F34D17

(end)

The hashes/name are always a bit different.

I have no idea what else that adware infected, but it seems to be so deeply ingrained into my system that I cannot get rid of it. I tried basically all anti malware tools (MSERT.exe, tdsskiller, adwCleaner, SuperAntiSpywarePro, Avira, MalwareBytes, Spybot...). By now I am out of ideas. Any suggestion is very much appreciated!

Edit: I also attached the logs from the Farbar Recovery Scan. I have regularly deleted the temp files before though. The Malwarebytes Scan doesn't yield anything but the 2 quarantined elements I posted above.

Sincerely Flau

Addition.txt FRST.txt

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists and you are Syncing Firefox it with other Devices reset it.

Navigate to this page and Remove it as suggested.

https://support.mozilla.org/en-US/kb/remove-synced-device-firefox-accounts

When done restart the computer normally.

If all is well.

Return to your Firefox Account and Click the Connect button.

Reset the sync if you want.

Restart the computer normally.
<<<>>>

Please post the Fixlog.txt and let me if the problem is solved.

fixlist.txt

[FLau]

Hello!

Thanks for your assistance. Unfortunately, the situation hasn't changed and MalwareBytes still detected and blocked the same two applications as before.

After that I also signed out of my Firefox and restarted my computer again.

Unfortunately, the problem remains and the two applications showed up again.

Sincerely
Flau

Fixlog.txt

[nasdaq]

Hi,

The file reported my have been quarantined.

How to Delete/Restore quarantined files.
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus

Follow the directives on the page to delete all the files in the quarantine folder.

Restart the computer normally when done.

Is the problem solved?
 

[FLau]

Hi!

Unfortunately, the quarantine folder is empty, therefore I cannot restore any file and the problem remains.

I skimmed through the additions.txt and found two entries of the software that originally caused the problem:

AndyImagesInstall (HKLM\...\{3EBE5CF7-02CA-4187-83A2-FCA61F8863EB}) (Version: 47.0.260 - Andy OS Inc.) Hidden
AndyPreInstall (HKLM\...\{C89FF20F-BE49-461E-83EC-E9AC933C0C1F}) (Version: 47.0.260 - Andy OS Inc.) Hidden

Might it be a good idea to remove those too?

Greetings
Flau

[nasdaq]

Hi

AndyImagesInstall (HKLM\...\{3EBE5CF7-02CA-4187-83A2-FCA61F8863EB}) (Version: 47.0.260 - Andy OS Inc.) Hidden

AndyPreInstall (HKLM\...\{C89FF20F-BE49-461E-83EC-E9AC933C0C1F}) (Version: 47.0.260 - Andy OS Inc.) Hidden

These apps are from 
https://www.andyroid.net/

Read about it.

If you do not need them you can remove the programs using the using Control panel > Add/Remove programs ...

Restart the computer normally after the deletion.

====

[FLau]

Hi!

I know where those apps are from. That's where I got the virus from in the first place.

Those programs are sadly not listed in the Control panel, otherwise I would have removed them already. In-fact, I removed ALL programs I installed since I got that nasty virus.

Sincerely,
Flau

[nasdaq]

Hi

Let's see what we can find in the Registry.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
AndyImagesInstall;AndyPreInstall
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====
 

[FLau]

Hi!

Yesterday evening I did another scan with the Farbar tool and looked at the FRST a bit longer an identified a few entries that I removed manually:

Task: {8B430336-0EB3-416C-99BD-FF2263676703} - System32\Tasks\Windows Remote Disc => H:\Node\\node.exe [54800536 2020-04-29] (Node.js Foundation -> Node.js) -> "C:\ProgramData\Package Cache\{EE3E61FE-9C8D-4547-93F4-E6196313161D}\{80BDB538-79F6-4E58-88DE-53175C4C23B6}"
Task: {AEDE2296-48D8-4036-A05F-1B035F691FD2} - System32\Tasks\Windows-AudioProtokollOfflinedateien => C:\Program Files\nodejs\node.exe -> C:\Windows\Installer\{95B63FA7-ED33-4E29-A708-0EF5B0306002}\{7AFB5CBB-AD8E-4A99-AC34-13CB5B160D9E} <==== ATTENTION
Task: {73D75DFB-83C6-4372-8FA4-556CB6311BE8} - System32\Tasks\Intel(R)ContentKryptografiedienste => C:\Program Files (x86)\nodejs\node.exe -> C:\Windows\Installer\{8FF87EC6-8533-43AC-B0E9-0D4FCA0F3221}\{720A740F-4050-4BFD-B1D2-C325A30C496E} <==== ATTENTION

I also removed the AndyImagesInstall and AndyPreInstall manually from the  windows installer folder.

The files are gone now but those entries remain. I also uninstalled node.js and reinstalled it at a different location (I need it for work). Since then, I had no more warnings from MalwareByte. I assume the only reason I don't get new warnings is the fact that I installed node on my H-partition.

Those 2 are still a bit strange to me (additions.txt):
FirewallRules: [TCP Query User{AA36D589-2BEB-4EE1-9148-2AC374355ABC}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File
FirewallRules: [UDP Query User{010D1AAA-A778-4CFF-8D76-3DA3B9BB9178}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File

Nonetheless, I still attached the files!

Sincerely
Flau

SearchReg.txt

[nasdaq]

Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

 

Quote

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\7FC5EBE3AC207814382ACF6AF18836BE]
"ProductName"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\7FC5EBE3AC207814382ACF6AF18836BE\SourceList]
"PackageName"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7FC5EBE3AC207814382ACF6AF18836BE\InstallProperties]
"DisplayName"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3EBE5CF7-02CA-4187-83A2-FCA61F8863EB}]
"DisplayName"="-

 

 

Restart the computer when completed.

You can delete the fixme.reg file when done.

 

Let me know if the problem is solved.

[FLau]

I have edited the registry like you said and the problem is currently not there.

However, the "suspicious entries" marked with "ATTENTION" from farbar still remain when I scan the system.

Sincerely & Thank you for your help
Flau
 

[nasdaq]

Hi,

 

Please post the Farbar logs to my review.

Identify the items you are referring to.

[FLau]

Hi!

The following entries are questionable (FRST):

Task: {73D75DFB-83C6-4372-8FA4-556CB6311BE8} - System32\Tasks\Intel(R)ContentKryptografiedienste => C:\Program Files (x86)\nodejs\node.exe -> C:\Windows\Installer\{8FF87EC6-8533-43AC-B0E9-0D4FCA0F3221}\{720A740F-4050-4BFD-B1D2-C325A30C496E} <==== ATTENTION
Task: {AEDE2296-48D8-4036-A05F-1B035F691FD2} - System32\Tasks\Windows-AudioProtokollOfflinedateien => C:\Program Files\nodejs\node.exe -> C:\Windows\Installer\{95B63FA7-ED33-4E29-A708-0EF5B0306002}\{7AFB5CBB-AD8E-4A99-AC34-13CB5B160D9E} <==== ATTENTION

Additions:
FirewallRules: [TCP Query User{5C412A38-68F2-4431-A2C1-6AEC397336FD}C:\program files\lghub\lghub_agent.exe] => (Allow) C:\program files\lghub\lghub_agent.exe => No File
FirewallRules: [UDP Query User{DAB571FF-E702-4961-BDB4-B2B8AD980C26}C:\program files\lghub\lghub_agent.exe] => (Allow) C:\program files\lghub\lghub_agent.exe => No File
FirewallRules: [TCP Query User{AA36D589-2BEB-4EE1-9148-2AC374355ABC}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File
FirewallRules: [UDP Query User{010D1AAA-A778-4CFF-8D76-3DA3B9BB9178}C:\program files\nodejs\node.exe] => (Allow) C:\program files\nodejs\node.exe => No File

Sincerely,
Flau

Addition.txt FRST.txt

[nasdaq]

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

[FLau]

Hi!

Here is the fixlog. The mentioned entries are gone after a re-scan. I assume that fixes my problem. The only entry that remains and might be related is:

Task: {8B430336-0EB3-416C-99BD-FF2263676703} - System32\Tasks\Windows Remote Disc => H:\Node\\node.exe [54800536 2020-04-29] (Node.js Foundation -> Node.js) -> "C:\ProgramData\Package Cache\{EE3E61FE-9C8D-4547-93F4-E6196313161D}\{80BDB538-79F6-4E58-88DE-53175C4C23B6}"

But Farbar doesnt seem to identify it as a threat.

Thank you for your help!

Sincerely
Flau

 

Fixlog.txt

[nasdaq]

Hi,

Looking good.

If any issues your can submit the file in bold to VirusTotal

H:\Node\\node.exe

https://www.virustotal.com/gui/

Stay safe

 

[FLau]

Thank you a lot for your help!

I consider the adware to be removed for now!

Thanks again & have a nice day
Flau

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you