Window Activator Trojan

[Springwoods]

In an attempt to pirate windows, a coworker of mine has downloaded a fake windows activator from a website. he choose to disable KIS thinking the activator is genuine and install it. Now his computer behaving erratically.

1. Every now and then, the application is trying to connect to illegal websites triggering KIS Alarm. It appears from time to time.

2. We already use KIS to scan the computer, it detected it as WIN32. EPEH trojan, residing in System Memory. However, disinfecting and rebooting makes no changes.

3. Whenever we disinfect it without restarting, the problem seems to go away. but whenever we restart the computer, it comes back again.

Please suggest a way to remove the presistent trojan. Thanks

 

[Igor Kurzin]

Hi @Springwoods, 

a coworker of mine

Okay ?

he choose to disable KIS thinking the activator is genuine and install it

Can you scan the downloaded activator with KIS, which malware is detected?

[Springwoods]

i already deleted the activator. but the files are downloaded from ...

Edited October 5, 2022 by Igor Kurzin
Removed the url

[Igor Kurzin]

Thank you for the link, the detect you are getting now is MEM:Trojan.Win32.SEPEH.gen ? 

[Springwoods]

Yes this is correct.

Disinfecting and rebooting is not removing it. Disinfecting it without reboot seems to remove it and stop the connection spam but it returns when computer restart.

Booting to save mode and cure it with KVRT also didnt work. it comes back every restart.

[Igor Kurzin]

Got it. While we are checking the installer package, please go to folder C:\WINDOWS\system32\Tasks\, create here a folder with any name (e.g. 'test') and move all the files and folders in C:\WINDOWS\system32\Tasks\ to this newly created folder ('test'). Restart PC, will the detect  still occur? 

Press [Win] + [R] and enter “msconfig”. The window that opens contains a tab called “Startup”. It contains a list of all programs that are launched automatically. Is there anything looking suspicious? You can post a screenshot if not sure. 

 

[Springwoods]

The detection still occur. However, after I moved everything to Test folder, I noticed something had launched a command prompt upon restarting. The Task Folder now has a Folder of Microsoft, TEST, and WPD.

I didn't notice anything unusal in the startup tab since i used to disable most of the unused apps. 

[Igor Kurzin]

We will need trace logs, here is the instruction: https://support.kaspersky.com/15535#block1

please enable traces, restart PC, run Quick Scan to detect MEM:Trojan.Win32.SEPEH.gen, stop traces, put trace files into an archive and upload to some cloud. Share the download link with me. 

[Springwoods]

https://rg.to/file/4ed427fc377c588b2656c51f8c15bb34/kav_log.rar.html
 

First log got another kind of malware in programdata\admbib. disinfected, but unable to delete the file. problem solved (no connection spam). but returns when restart.

Second log got the afformentioned win32.SEPEH.gen in system memory

[Springwoods]

uh ... my previous post was hidden. probably because it contain links to the cloud storage

[Igor Kurzin]

thank you for the link, for some reason, I can not download, gives me error (even with VPN). Can you try some other cloud?

[Igor Kurzin]

Downloaded, thanks.