Need help cleaning coos ransomware

[Vanya123]

Hello, I got infected by .coos ransomware, I downloaded malwarebytes and kaspersky virus removal tool and malwarebytes found 56 objects, a rootkit too, kaspersky found 5, all were quarantined/deleted. But I'm still not sure if my pc is clean, for example windows security shows absolutely nothing - , could you please help me out to check if everything is all clean and how to fix that?

 

[struppigel]

I am Karsten and will gladly help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.

• Read my instructions thoroughly, carry out each step in the given order.
• Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
• If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
• Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
• Back up important files before we start.
• Note: On weekends I might be slow to reply

-------------------------------------------------------------------
Your system is infected by STOP/DJVU ransomware. STOP ransomware variants after August 2019 are only decryptable if an offline key was used. For variants with an online key you cannot decrypt but repair certain file types. Can you please open the ransom note _readme.txt and copy and paste the user ID for me, so I can determine the variant of the ransomware?

Please note that this ransomware in almost all cases arrives via illegal software downloads or cracks.

1. Farbar Recovery Scan Tool (FRST) Script

• Download the attached fixlist.txt
• Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Double-click FRST64.exe to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Attach the log to your next reply.

2. Malwarebytes AdwCleaner

• Please download Malwarebytes AdwCleaner and save the file to your Desktop.
• Click Scan Now and wait for completion of the scan.
• Ensure anything you know to be legitimate does not have a check mark under the corresponding tab.
• Click Quarantine.
• Follow the prompts and allow your computer to reboot.
• After the reboot, a log will open. Attach the log to your next reply.

-- File, folder and registry backups are made for items removed using this program. Should a legitimate file, folder or registry item be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of the log.

 

[Vanya123]

Hello, I did everything, windows security is still blank, is that related to the virus?

I dont see an attach button to the reply window, I will paste the contents here:

Fix result of Farbar Recovery Scan Tool (x64) Version: 09-01-2021
Ran by Vania (14-01-2021 18:23:28) Run:1
Running from C:\Users\Vania\Desktop
Loaded Profiles: Vania
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CreateRestorePoint:
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3675572701-1113223759-2162520849-1001\...\MountPoints2: {8cff80a8-18ea-11ea-989a-6c2b594fb8c5} - "D:\SISetup.exe"
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
CHR Notifications: Default -> hxxps://25.flamborius.com; hxxps://49.flamborius.com; hxxps://az.beautyinfo.info; hxxps://best.aliexpress.com; hxxps://bg.plantscientists.com; hxxps://de.aliexpress.com; hxxps://drebisimo.com; hxxps://drydoclei.club; hxxps://eur.zaful.com; hxxps://gospodari.com; hxxps://he.aliexpress.com; hxxps://idei.bg; hxxps://katonovi.com; hxxps://m.opoznai.bg; hxxps://makeup.bg; hxxps://mbrand.io; hxxps://offnews.bg; hxxps://petel.bg; hxxps://pochivka.bg; hxxps://profit.bg; hxxps://rufilmtv.pro; hxxps://shelly.ru; hxxps://shineon.com; hxxps://sports.mymall.bg; hxxps://svishtov-info.net; hxxps://vsekidnevno.com; hxxps://wp.aliexpress.com; hxxps://www.alibaba.com; hxxps://www.aliexpress.com; hxxps://www.avtochastionline24.bg; hxxps://www.baby.bg; hxxps://www.bibloo.bg; hxxps://www.calitiger.com; hxxps://www.dailymail.co.uk; hxxps://www.euspares.co.uk; hxxps://www.facebook.com; hxxps://www.instagram.com; hxxps://www.modcloth.com; hxxps://www.pedradura.net; hxxps://www.sparepartstore24.co.uk; hxxps://www.topavtochasti.bg; hxxps://www.wish.com; hxxps://www.youtube.com
CHR Extension: (d8yI+Hf7rX) - C:\Users\Vania\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdnpbneoflehiiimdcommlhgoneioof [2021-01-13]
C:\Users\Vania\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdnpbneoflehiiimdcommlhgoneioof
CHR Extension: (d8yI+Hf7rX) - C:\Users\Vania\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dhdnpbneoflehiiimdcommlhgoneioof [2021-01-13]
C:\Users\Vania\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dhdnpbneoflehiiimdcommlhgoneioof
CHR Extension: (d8yI+Hf7rX) - C:\Users\Vania\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdnpbneoflehiiimdcommlhgoneioof [2021-01-13]
C:\Users\Vania\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdnpbneoflehiiimdcommlhgoneioof
CHR Extension: (d8yI+Hf7rX) - C:\Users\Vania\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\dhdnpbneoflehiiimdcommlhgoneioof [2021-01-13]
C:\Users\Vania\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\dhdnpbneoflehiiimdcommlhgoneioof
S3 wuauserv; C:\Windows\system32\svchost.exe [53744 2019-03-19] (Microsoft Windows Publisher -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S3 wuauserv; C:\Windows\SysWOW64\svchost.exe [45448 2019-03-19] (Microsoft Windows Publisher -> Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
FF Notifications: Mozilla\Firefox\Profiles\5k3njdmx.default-release -> hxxps://rabotnoobleklo.eu; hxxps://4sales.bg
2021-01-13 12:32 - 2021-01-13 12:54 - 000000000 ____D C:\Users\Vania\AppData\LocalLow\pF2qC1gG7yH8hI1o
Folder: C:\Users\Vania\AppData\Local\7abb9871-7421-4ebb-82d5-0be2def9530f
Folder: C:\Users\Vania\AppData\Local\5ded730d-7b1f-4135-af24-86571cbc551e
2021-01-13 12:32 - 2021-01-13 12:32 - 000000563 _____ C:\Users\Vania\AppData\Local\bowsakkdestx.txt
Folder: C:\Users\Vania\AppData\Local\Xxs
2021-01-13 12:32 - 2021-01-13 12:32 - 000000000 ____D C:\ProgramData\J5K7DB386MPV5D28C60GA038U
2021-01-13 12:32 - 2021-01-13 12:32 - 000000000 ____D C:\ProgramData\1JZRBTNMI6ZR1HRCEYV029WGY
2019-10-07 04:56 - 2019-10-07 04:56 - 000320202 ___SH () C:\Users\Vania\AppData\Roaming\usjcvrt
2021-01-13 12:32 - 2021-01-13 12:32 - 000000563 _____ () C:\Users\Vania\AppData\Local\bowsakkdestx.txt
CMD: netsh advfirewall reset
EmptyTemp:
end
*****************

Restore point was successfully created.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth" => removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => removed successfully
HKU\S-1-5-21-3675572701-1113223759-2162520849-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8cff80a8-18ea-11ea-989a-6c2b594fb8c5} => removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\ProgramData\NTUSER.pol => moved successfully
"Chrome Notifications" => removed successfully
CHR Extension: (d8yI+Hf7rX) - C:\Users\Vania\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdnpbneoflehiiimdcommlhgoneioof [2021-01-13] => Error: No automatic fix found for this entry.
C:\Users\Vania\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdnpbneoflehiiimdcommlhgoneioof => moved successfully
CHR Extension: (d8yI+Hf7rX) - C:\Users\Vania\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dhdnpbneoflehiiimdcommlhgoneioof [2021-01-13] => Error: No automatic fix found for this entry.
C:\Users\Vania\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dhdnpbneoflehiiimdcommlhgoneioof => moved successfully
CHR Extension: (d8yI+Hf7rX) - C:\Users\Vania\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdnpbneoflehiiimdcommlhgoneioof [2021-01-13] => Error: No automatic fix found for this entry.
C:\Users\Vania\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdnpbneoflehiiimdcommlhgoneioof => moved successfully
CHR Extension: (d8yI+Hf7rX) - C:\Users\Vania\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\dhdnpbneoflehiiimdcommlhgoneioof [2021-01-13] => Error: No automatic fix found for this entry.
C:\Users\Vania\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\dhdnpbneoflehiiimdcommlhgoneioof => moved successfully
HKLM\System\CurrentControlSet\Services\wuauserv => removed successfully
wuauserv => service removed successfully
wuauserv => service not found.
"FF Notifications:" => removed successfully
C:\Users\Vania\AppData\LocalLow\pF2qC1gG7yH8hI1o => moved successfully

========================= Folder: C:\Users\Vania\AppData\Local\7abb9871-7421-4ebb-82d5-0be2def9530f ========================


====== End of Folder: ======


========================= Folder: C:\Users\Vania\AppData\Local\5ded730d-7b1f-4135-af24-86571cbc551e ========================


====== End of Folder: ======

C:\Users\Vania\AppData\Local\bowsakkdestx.txt => moved successfully

========================= Folder: C:\Users\Vania\AppData\Local\Xxs ========================


====== End of Folder: ======

C:\ProgramData\J5K7DB386MPV5D28C60GA038U => moved successfully
C:\ProgramData\1JZRBTNMI6ZR1HRCEYV029WGY => moved successfully
C:\Users\Vania\AppData\Roaming\usjcvrt => moved successfully
"C:\Users\Vania\AppData\Local\bowsakkdestx.txt" => not found

========= netsh advfirewall reset =========

Ok.


========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 10248192 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 240973657 B
Java, Flash, Steam htmlcache => 162083996 B
Windows/system/drivers => 23683604 B
Edge => 5594654 B
Chrome => 888912159 B
Firefox => 25622373 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 918940 B
NetworkService => 918940 B
Vania => 195975796 B

RecycleBin => 0 B
EmptyTemp: => 1.4 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 18:24:38 ====

# -------------------------------
# Malwarebytes AdwCleaner 8.0.9.0
# -------------------------------
# Build: 01-11-2021
# Database: 2021-01-11.1 (Cloud)
# Support: Customer Support & Help Center | Malwarebytes
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 01-14-2021
# Duration: 00:00:13
# OS: Windows 10 Pro
# Scanned: 31956
# Detected: 3


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy C:\Users\Vania\AppData\Local\DriverToolkit
Trojan.SmartClock C:\Users\Vania\AppData\Roaming\Smart Clock

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

PUP.Optional.Banggood banggood.com

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

# Malwarebytes AdwCleaner 8.0.9.0
# -------------------------------
# Build: 01-11-2021
# Database: 2021-01-11.1 (Cloud)
# Support: Customer Support & Help Center | Malwarebytes
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 01-14-2021
# Duration: 00:00:00
# OS: Windows 10 Pro
# Cleaned: 3
# Failed: 0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted C:\Users\Vania\AppData\Local\DriverToolkit
Deleted C:\Users\Vania\AppData\Roaming\Smart Clock

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

Deleted banggood.com

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1539 octets] - [14/01/2021 18:26:58]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

 

[struppigel]

Hello, I did everything, windows security is still blank, is that related to the virus?

I suspect it was either caused by the malware or any of your previous antivirus software didn't uninstall correctly.

Step 1 Reg Fix:

• Please download the following file: Win10UpdateRegFix
• Double-click to run it.
• Allow UAC.
• Follow the prompts.
• Restart your system.

Step 2 FRST Fix:
Please delete the last fixlist.txt. Then copy the following text including "Start::" and "End::"

Start::
CMD: Dism.exe /Online /Cleanup-Image /Restorehealth
CMD: SFC /SCANNOW
Reboot:
End::

Run FRST64.exe and click on Fix. This may take a while
A log (Fixlog.txt) will open on your desktop. Copy and paste the log to your next reply.

Step 3 FRST Search:

• Double click Frst64.exe to launch it.
• FRST will start to run.
• When the tool opens click Yes to the disclaimer.
• Copy/Paste or Type the following line into the Search: box.
  MsMpEng
• Press the Search Files button.
• When finished searching a log will open on your Desktop ... Search.txt
• Please post it in your next reply.

 

[Vanya123]

Hello, this morning I noticed presumably the malware author entered my facebook and added himself as "admin" and tried to post ads from my account. I have 2FA so any device not my laptop should send an sms with a code, but I never received one, is it possible he remote controlled my laptop and signed in facebook himself? He added his name and tried to post ads but then facebook suspended it saying there's unsual activity on the account Is there any way to report this and to catch this person? Also what should I do now? I'm thinking a windows reinstall is best. This happened this morning so despite all of the fixes we made he still somehow got inside

 

[struppigel]

Hello Vanya.

A reinstall of Windows after the system got infected with a remote access trojan or backdoor is the safest thing you can do. They often leave the system in a less secure state because they change security settings and mess with configurations. Due to the nature of the infection, the criminal could have done anything to the system, which makes them less predictable than known malware families that run a predefined set of instructions.

If you use Windows 10 Reset for this, make sure to choose the option to delete all files.
You can backup your personal files, also the encrypted ones.
After you reinstalled your system, make sure your Antivirus program is working.

Consider all accounts as compromised that you have logged into or saved credentials for on your system, browser or key storage programs.
For all of these accounts, do the following:

• Use a clean system for this!
• Change all passwords for all accounts
• Enable 2FA for those accounts that don't have it yet

For all accounts that involve money, e.g., online banking, or that are otherwise very important to you, I recommend that you notify them beforehand that your accounts are compromised and a criminal might try to impersonate you. Tl;dr: Call your bank, tell them what happened.

Regarding Facebook, visit this page: Hacked and Fake Accounts | Facebook Help Center
Follow the Guided Help for Hacked Accounts

Consider going to the police and file a report. I don't know where you live, but in most places this is a necessary step. E.g., I live in Germany and if someone was to use my credit cards without my permission, I can use the police report to show that I did not withdraw this money. In that case it's on the bank to get the money back and not on me to pay.

I am sorry that this happened to you.

 

[struppigel]

I am closing this thread now as it seems that there is nothing else for me to do. If you have remaining questions, you can PM me to re-open it.