Cookie773.exe

Viruses and worms
1

Hi,

So I posted this a week ago relating to a piece of malware called “cookie773.exe” being detected again and again.

It went away for about a week, but suddenly has been repeating again more frequently, only this time the object name and popup is notably different.

The infection type has changed too, the process is the same though.

As was suggested in the thread, I monitored task manager, and located the directories that wscript, and cookie773.exe are found in, however I found that wscript does not show up at all in task manager, and no new process is added before avast detects and blocks the file.

A new link on the popup from avast asking to add the file to exclusions shows up, which made me realize that the file is being placed in the avast chest. I extracted the file and uploaded it to malware sites for analysis, confirming that its definitely malware:

https://www.virustotal.com/en/file/398a4912f479e327752706be59626c9d7ae4535789681abe3e66c360f5bb4583/analysis/1473622588/ (It says avast doesn’t detect??)
https://malwr.com/analysis/ZmJkNGVkNWJlMTVmNDUzY2E5ZDhjZTI5MGFjYzEzNTI/
https://www.hybrid-analysis.com/sample/398a4912f479e327752706be59626c9d7ae4535789681abe3e66c360f5bb4583?environmentId=100

The file itself does not contain any obvious markers, however the analysis sites show there is a ton of information located within.

Hope somebody can help, Thanks :slight_smile:

2

https://forum.avast.com/index.php?topic=190313.msg1335147#msg1335147

You where asked to provide the log files.

3

Sorry

4

I need to ask for some information before continuing forward:

  1. What was KMSPico used for on this system?
  2. Do you use or want Splashtop software?
5
  1. I believe KMSPico was used to ‘activate’ Windows 7 (pre-Win10) when i had to reinstall it onto the current hard drive C:
  2. Splashtop is legit, i used it to stream my desktop onto my tablet.

note: I had to reinstall Win7 due to purchasing a new hard drive a while back, I found the windows disk but not the activation key, so this was in my eyes a harmless solution.

6

Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt


Start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [ICQ1] => c:\windows\temp\OneDrive\starter2.exe <===== ATTENTION
HKLM\...\Run: [ICQ] => c:\windows\temp\OneDrive\starter1.exe <===== ATTENTION
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-3171509457-269423958-3859399353-1000\...\MountPoints2: {0c683eb7-b5e5-11e5-aceb-3085a93c5699} - "F:\setup.exe"
HKU\S-1-5-21-3171509457-269423958-3859399353-1000\...\MountPoints2: {f0d96ee5-c0f7-11e5-acfe-3085a93c5699} - "H:\SETUP.EXE"
HKU\S-1-5-21-3171509457-269423958-3859399353-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {0c683eb7-b5e5-11e5-aceb-3085a93c5699} - "F:\setup.exe"
HKU\S-1-5-21-3171509457-269423958-3859399353-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {f0d96ee5-c0f7-11e5-acfe-3085a93c5699} - "H:\SETUP.EXE"
CHR Extension: (Google Drive) - C:\Users\KASH\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-05-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\KASH\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-05]
Task: {DC5A32A5-9132-4BAF-834C-5F6C26E43108} - System32\Tasks\GoogleUppdateTaskMachineAll => C:\Users\KASH\AppData\Roaming\GoogleUpp\a0NIv2vo.vbe [2016-07-02] () <==== ATTENTION
C:\Users\KASH\AppData\Roaming\GoogleUpp
Shortcut: C:\Users\KASH\Desktop\Games folder\Broken Crescent.lnk -> C:\Program Files (x86)\Medieval 2 Total War Gold\mods\Broken_Crescent_kingdoms\bc_launch.bat (No File)
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/Press%20the%20FIX%20button_zpsdd5zi3mt.png

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post. Also, tell me how your system is running now.

7

Ive restarted and not encountered any notification thanks :), however this also happened in my original post, and it just reappeared a week later in a different form, any advice?

8

You have some services that are not running on your system: the Firewall service and WMI. If you meant to turn these off, then ignore the rest of this post. Otherwise, I would suggest that you try and repair these components of Windows by following the steps below.

Please download “Windows Repair - All in One” from here. Please choose “Save file…” if you get options to open the file. Once the download is complete, run the file and install the program on your system. Please use the default settings for locations as it will help with log retrieval and fixing the registry should anything be needed.

Right click on the desktop shortcut for “Tweaking.com - Windows Repair” and select ‘Run as administrator’.

The program will run a self check to make sure that all the correct files are in place for it to run and then it will load the program. As you can see, there are many steps to take in using this program. Mainly, the first few steps involve checking for proper Windows files and backing up the system as a precaution.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step1_zpswsvkpwps.png

You can read the notes on the first screen but the important thing to do is click on “ReBoot to Safe Mode” and allow the system to restart itself. Once the system is started in safe mode and you have logged in (using an administrative level account), restart the program and move onto the Step2 screen.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step2_PreScan_Check_zpsz4jtz5na.png

Please click on “Open Pre-Scan” to load a utility to verify some Windows resource / build files and settings.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step2_PreScan_Check_v3_9_6_zps8ku4ffgf.png

Click on “Start Scan” and allow the routine to run. You can see the status of the checks in the window.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step2_PreScan_Finish_zpscticsthm.png

When the routine is finished, it will report on any problems found and you can click on the appropriate repair button if needed. Once this is done, you can close this window and click on Step3.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step3_CheckDisk_zpsn3dmzb3p.png

Click on the “Check” to see if a repair disk check routine needs to run. A Command Prompt window will open and you can view the status of the routine. If the routine finds that repairs need to be made, please select “Open Disk Check at Next Boot” and then click on the “Reboot To Safe Mode” button. Once the routine(s) completes, please select Step4.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step4_SFCscan_zpsrgf8dxrt.png

Please click on “Do It” to run a SFC /scannow routine. If the routine makes any repairs, please reboot your system (again into Safe Mode). If the routine does not make any repairs, please move onto Step5.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step5_Backup_zpsu1i9cqxu.png

Once there, click on “Backup” under the 1. Registry Backup. This will make a complete backup of the current registry which can be reloaded should anything go wrong with the repairs that are going to be made. Next, click on the “Create” under 2. System Restore. Once both of these backups are made, select Repairs.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step6_Repairs_Tips_zpspmp4g2yh.png

I would suggest that you read the Tips For The Best Repairs Results. Once this is done, click on “Open Repairs”.

http://i1351.photobucket.com/albums/p785/dbreeze2/Windows%20Repair%20All%20in%20One/WEAIO%20v3_5/Step6_Repairs_Start_zpsoiow1cxf.png

On this screen, click the following: (do this in this order to select only these repairs) uncheck All Repairs, then check #1, 2, 3, 4, 5, 6, 10, 11, 13, 26 and 27. Click “Start Repairs” and confirm that the program starts running the fixes. This will take a while to run, so you can let it run unattended if you like. Log files are being recorded as the repairs are being executed. Once the repairs are finished, reboot your system (normal boot now) and tell me how it is running now.

9

I’ve made the repairs suggested to the registry and memory, the system is running fine so this issue is solved. Thank you.

10

Hello

I had downloaded example the Web Shield warned FileRepMalware [PUP] .The FileSystemShield blindage not notified,Then I submitted yesterday again the file and is now detected Win64:Malware-gen.

https://www.virustotal.com/en/file/634b823db9b7934d4200a2f5d932e5a928512a6bab04bbc7fd47bcde70f7e892/analysis/