Win Evo and other assorted malware

Hi I am usually very careful and I have been fortunate to not have been infected before but now I am screwed. I am running Windows 7 Home Premium. I have Malwarebytes Pro, Avast Antivirus free, Superanti-Spyware (paid). Avast detected about 16 viruses Malwarebytes a trojan. I keep everything up to date and scan at least once a week. This started when I opened a message in an email account which I thought was from the Gas and electric company. Today Avast was blocking an email being sent out repeatedly. I do not use computer based email. Malwarebytes was blocking Avast. I am not using the infected PC now. Any help would be greatly appreciated. Thanks Jeff

Hello,
We’ll run system diagnostics with these two powerful tools. That will allow us to quickly ascertain whether or not malware may be running on your machine.

=> Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[
]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


=> Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ]- save the report to the Desktop (named ARK );

[*]Then click the >>> button and select Autostart card;
[*]Click [ Scan ] button;
[*]After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named autostart )

Attach here both Gmer logreports. (ARK.txt and autostart.txt)

Hi here are the results.

Hi,

Can you post please the primary GMER’s logfile named as ARK.txt?

here is the ark file. I forgot to mention I also ran Spybot. There are 2 files that seem to be the source of the issue. “lebfwgts” C:\Users\JLT\AppData\Local\qiqeowlm.exe and bdmaomao C:\Users\JLT\AppDAta\LocaL\NOGCKGEK.EXE. tHANKS AGAIN FOR ALL YOUR HELP jEFF

C:\\Users\JLT\AppData\Local\[b]qiqeowlm.ex[/b]e C:\\Users\JLT\AppDAta\LocaL\[b]NOGCKGEK.EXE[/b].

upload and test these files at www.virustotal.com
post link to scan result here

Hi,

FRST shows the malware activity. We shall use FixList to tell FRST to stop, kill and delete the malware.


FRST’s FixList


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
File: C:\Windows\system\Cm106eye.exe
C:\Users\JLT\AppData\Local\nogckgek.exe
C:\Users\JLT\AppData\Local\qiqeowlm.exe
C:\Users\JLT\AppData\Local\afhffhdj
C:\Users\JLT\AppData\Local\cxvaoliu
C:\Users\train\AppData\Roaming\desktop.ini
C:\Users\JLT\AppData\Local\Temp\drm_dyndata_7380014.dll
HKU\S-1-5-21-3233814832-351957047-3291099149-1004\...\Run: [bdmaoawo] - "C:\Users\JLT\AppData\Local\nogckgek.exe"
HKU\S-1-5-21-3233814832-351957047-3291099149-1004\...\Run: [lebfwgts] - "C:\Users\JLT\AppData\Local\qiqeowlm.exe"
Hosts:
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


FRST Re-Scan


Re-run FRST …

[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

Here are the results. Thank you

This looks good. Malware has been neutralized. Do NOT use USB memory devices as we shall check them later.

For now I want from you to run ComboFix just as extra check. :wink:

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

Here is the combofix log. Should I remove the external hardrives that I have connected to the PC?

Yes, remove USB’s. Then install MCShield and attach USB again. Here is how …

Please download MCShield from one of the following links:

MCShield -Official download link

[*]Double click on MCShield-Setup to install the application.
Next => I Agree => Next => Install … per installation click on Run! button.
[]Wait a few seconds to MCShield finish initial HDD scan…
[
]Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
[*]When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

After MCShield scan, we shall run ComboFix one more time but via CFScript.
=> After running MCShield (AllScans.txt) and later CFScript (fresh ComboFix.txt logfile) tell me how is the computer running now.

Open notepad and copy/paste the text present inside the code box below:

ClearJavaCache::

SkipFix::

File::
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\desktop (1).ini

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

here are the McShield Allscans

Here are the ComboFix files

As far as how the PC is running. It seems to be fine. I have had none of the prior activity.(e.g. Avast blocking outgoing emails Malwarebytes blocking outgoing URLs. Constant Avast warnings) Thank you Jeff

Cool. Your PC is malware free. First, we shall remove & uninstall the ComboFix.

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.


Then I want from you to find deleted malware itself as I want you to send the samples to VirusTotal. When new sample is detected, it shall be send to all other antivirus vendors for adding in definitions.

Loading point of malware was:

C:\Users\JLT\AppData\Local\afhffhdj
C:\Users\JLT\AppData\Local\cxvaoliu

Inactive-disabled malware samples now is located in C:\FRST\Quarantine folder. Each folder and file in FRST’s Quarantine has added to the time and date by the origin name of folder/fle.

Find the Quarantine folder and there you should have somethings like this:

C:\FRST\Quarantine\C\Users\JLT\AppData\Local

In Local you should have two folder, like:

  1. afhffhdj
  2. cxvaoliu

There should be located malware files. Go to virustotal site, browse the path and upload all samples you can find there.
https://www.virustotal.com/

Can you do that for me?

Update:

C:\FRST\Quarantine\C\Users\JLT\AppData\Local
My mistake ...

In C:\FRST[b]Quarantine[/b] you should only see these folders:

afhffhdj
cxvaoliu

Within these folders should be located inactive-disabled malware files. Upload all files to virustotal.

The only option I see is to scan it. Do I need to create a user account to upload?

I got it. Scan it uploaded it

Cool. 8)

You may not realize but you’ve just helped many AV companies to get a copy of this malware. If necessary, they will analyze it and put in the definition.

Do you have a URL link of virustotal (scaned files), asking purely out of curiosity?

If not, does not matter. Have you uploaded all malware files to VT. Can we now remove FRST and it’s Quarantine? :slight_smile: