Avast WEBforum

Other => Viruses and worms => Topic started by: stabguy on January 30, 2014, 10:07:04 AM

Title: Funeral Ceremony email: evnih.exe trojan
Post by: stabguy on January 30, 2014, 10:07:04 AM
My wife received an email about a funeral ceremony. Someone we know had just died so she opened the attachment. Yep, it was a trojan. :( The payload seems to be a variety of malware including a process called "evnih.exe - IirDeramkel Antibibus Scagnur". MalwareBytes Anti-Malware always detects/deletes some Backdoors and Trojans but it isn't enough.

Attached are the MBAM and OTL logs. I'd really appreciate it if an analyst could help me when they get a chance. Thank you.
Title: Re: Funeral Ceremony email: evnih.exe trojan
Post by: Pondus on January 30, 2014, 11:05:15 AM
If you still have that attachment upload it to www.virustotal.com      click new scan if tested before
Post link to scan result here
Title: Re: Funeral Ceremony email: evnih.exe trojan
Post by: argus on January 30, 2014, 11:16:43 AM
Re-run OTL.exe.

Code: [Select]

:OTL
O4 - HKU\S-1-5-21-334125316-4088546140-4129291110-1000..\Run: [qdmllevl] C:\Users\cherie\AppData\Local\ifwofanb.exe ()

:files
C:\Users\cherie\AppData\Local\ifwofanb.exe

:commands
[CREATERESTOREPOINT]
[emptytemp]


If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log
.




********** Next **********







Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) ((http://www.mcshield.net/personal/magna86/Images/FRST_canned.png)) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


Title: Re: Funeral Ceremony email: evnih.exe trojan
Post by: stabguy on January 31, 2014, 08:32:54 AM
Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

These three files are attached. Thanks for your help, argus.
Title: Re: Funeral Ceremony email: evnih.exe trojan
Post by: argus on January 31, 2014, 11:26:20 AM
Hi,




1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Start
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION
S1 enyjyryl; \??\C:\windows\system32\drivers\enyjyryl.sys [x]
C:\windows\system32\drivers\enyjyryl.sys
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.






Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

.




Please download zoek.zip or zoek.rar by smeenk ((http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png)) from here (http://hijackthis.nl/smeenk) or here (http://home.kpn.nl/stefsmeenk/zoek.exe) and save it to your Desktop.
Unpack the archive...
Code: [Select]
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;
Title: Re: Funeral Ceremony email: evnih.exe trojan
Post by: stabguy on February 01, 2014, 08:13:51 AM
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Save notepad to your Desktop and attach here zoek-results.log

Attached.

The computer seems to be running better already. :)
Title: Re: Funeral Ceremony email: evnih.exe trojan
Post by: argus on February 01, 2014, 11:13:08 AM
Code: [Select]
C:\Users\cherie\AppData\Local\bvjbgxbl;f
C:\Users\cherie\AppData\Local\igjmcvxk;f
C:\Users\cherie\Documents\FuneralCeremony_Honolulu_96825;fs
C:\Users\cherie\AppData\Local\Temp\scripttest.vbs;f
blekko search bar;ff
Skype Click to Call;ff
emptyalltemp;
autoclean;
emptyclsid;
ipconfig /flushdns >> %temp%\log.txt;b
Title: Re: Funeral Ceremony email: evnih.exe trojan
Post by: stabguy on February 01, 2014, 09:47:17 PM
Save notepad to your Desktop and attach here zoek-results.log

Attached.
Title: Re: Funeral Ceremony email: evnih.exe trojan
Post by: argus on February 02, 2014, 12:39:15 PM
A little more and we ended up.


(http://imageshack.us/a/img841/7292/thisisujrt.gif)  Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/) to your desktop.




Next ->




Please download DDS and save it to your Desktop from here:
http://www.bleepingcomputer.com/download/dds/dl/104/

Double click to run the tool, click the Start button.

   * When done, DDS will open two (2) logs:
         1. DDS.txt
         2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.





Do you have any problems?
Title: Re: Funeral Ceremony email: evnih.exe trojan
Post by: stabguy on February 02, 2014, 09:29:37 PM
Log files attached.

When this first happened I advised my wife not to do any online banking, credit card purchases, etc. Do you think it's safe to resume those activities now?

I really appreciate all your help, angus.
Title: Re: Funeral Ceremony email: evnih.exe trojan
Post by: argus on February 02, 2014, 10:06:26 PM
Quote
Do you think it's safe to resume those activities now?


Your PC is clean, you can be free of worries.

Malware is gone in Honolulu  :D
C:\Users\cherie\Documents\FuneralCeremony_Honolulu_96825\FuneralCeremony_Honolulu_96825.exe

https://www.virustotal.com/en/file/f349fa94dd8ca37ec7d405b78b2f048186f1961cf121b8f17e020f8e62649dba/analysis/




Please download  DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.