Author Topic: Funeral Ceremony email: evnih.exe trojan  (Read 729 times)

Offline stabguy

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Funeral Ceremony email: evnih.exe trojan
« on: January 30, 2014, 08:07:04 AM »
My wife received an email about a funeral ceremony. Someone we know had just died so she opened the attachment. Yep, it was a trojan. :( The payload seems to be a variety of malware including a process called "evnih.exe - IirDeramkel Antibibus Scagnur". MalwareBytes Anti-Malware always detects/deletes some Backdoors and Trojans but it isn't enough.

Attached are the MBAM and OTL logs. I'd really appreciate it if an analyst could help me when they get a chance. Thank you.

Offline Pondus

  • avast! √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 21649
  • Gender: Male
    • Personal Message (Offline)
Re: Funeral Ceremony email: evnih.exe trojan
« Reply #1 on: January 30, 2014, 09:05:15 AM »
If you still have that attachment upload it to www.virustotal.com      click new scan if tested before
Post link to scan result here
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline argus

  • Anti Malware Fighter _ ASAP_
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1332
  • Gender: Male
    • Personal Message (Offline)
Re: Funeral Ceremony email: evnih.exe trojan
« Reply #2 on: January 30, 2014, 09:16:43 AM »
Re-run OTL.exe.

  • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

Code: [Select]

:OTL
O4 - HKU\S-1-5-21-334125316-4088546140-4129291110-1000..\Run: [qdmllevl] C:\Users\cherie\AppData\Local\ifwofanb.exe ()

:files
C:\Users\cherie\AppData\Local\ifwofanb.exe

:commands
[CREATERESTOREPOINT]
[emptytemp]


  • Then click the Run Fix button at the top.
  • Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log
.




********** Next **********







Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Offline stabguy

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Re: Funeral Ceremony email: evnih.exe trojan
« Reply #3 on: January 31, 2014, 06:32:54 AM »
Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

These three files are attached. Thanks for your help, argus.

Offline argus

  • Anti Malware Fighter _ ASAP_
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1332
  • Gender: Male
    • Personal Message (Offline)
Re: Funeral Ceremony email: evnih.exe trojan
« Reply #4 on: January 31, 2014, 09:26:20 AM »
Hi,




1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Start
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION
S1 enyjyryl; \??\C:\windows\system32\drivers\enyjyryl.sys [x]
C:\windows\system32\drivers\enyjyryl.sys
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.






Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Post logfile will also be saved in the C:\AdwCleaner folder.
.




Please download zoek.zip or zoek.rar by smeenk () from here or here and save it to your Desktop.
Unpack the archive...
  • Close any open browsers
  • Temporarily disable your AntiVirus program. (If necessary)
    If you are unsure how to do this please read this or this Instruction.

  • Double click on zoek.exe to run the tool .
    Please wait while the tool does not start...

  • Copy the text present inside the code box below and paste it into the large window in the zoek tool:
Code: [Select]
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;
  • Click on button.
    Please wait until a logreport will open (this can be after reboot)

  • Save notepad to your Desktop and attach here zoek-results.log
    Note: It will also create a log in the C:\ directory named "zoek-results.log"

Offline stabguy

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Re: Funeral Ceremony email: evnih.exe trojan
« Reply #5 on: February 01, 2014, 06:13:51 AM »
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Save notepad to your Desktop and attach here zoek-results.log

Attached.

The computer seems to be running better already. :)

Offline argus

  • Anti Malware Fighter _ ASAP_
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1332
  • Gender: Male
    • Personal Message (Offline)
Re: Funeral Ceremony email: evnih.exe trojan
« Reply #6 on: February 01, 2014, 09:13:08 AM »
  • Close any open browsers
  • Temporarily disable your AntiVirus program. (If necessary)
    If you are unsure how to do this please read this or this Instruction.

  • Double click on zoek.exe to run the tool .
    Please wait while the tool does not start...

  • Copy the text present inside the code box below and paste it into the large window in the zoek tool:
Code: [Select]
C:\Users\cherie\AppData\Local\bvjbgxbl;f
C:\Users\cherie\AppData\Local\igjmcvxk;f
C:\Users\cherie\Documents\FuneralCeremony_Honolulu_96825;fs
C:\Users\cherie\AppData\Local\Temp\scripttest.vbs;f
blekko search bar;ff
Skype Click to Call;ff
emptyalltemp;
autoclean;
emptyclsid;
ipconfig /flushdns >> %temp%\log.txt;b
  • Click on button.
    Please wait until a logreport will open (this can be after reboot)

  • Save notepad to your Desktop and attach here zoek-results.log
    Note: It will also create a log in the C:\ directory named "zoek-results.log"

Offline stabguy

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Re: Funeral Ceremony email: evnih.exe trojan
« Reply #7 on: February 01, 2014, 07:47:17 PM »
Save notepad to your Desktop and attach here zoek-results.log

Attached.

Offline argus

  • Anti Malware Fighter _ ASAP_
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1332
  • Gender: Male
    • Personal Message (Offline)
Re: Funeral Ceremony email: evnih.exe trojan
« Reply #8 on: February 02, 2014, 10:39:15 AM »
A little more and we ended up.


  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.




Next ->




Please download DDS and save it to your Desktop from here:
http://www.bleepingcomputer.com/download/dds/dl/104/

Double click to run the tool, click the Start button.

   * When done, DDS will open two (2) logs:
         1. DDS.txt
         2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.





Do you have any problems?

Offline stabguy

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Re: Funeral Ceremony email: evnih.exe trojan
« Reply #9 on: February 02, 2014, 07:29:37 PM »
Log files attached.

When this first happened I advised my wife not to do any online banking, credit card purchases, etc. Do you think it's safe to resume those activities now?

I really appreciate all your help, angus.

Offline argus

  • Anti Malware Fighter _ ASAP_
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1332
  • Gender: Male
    • Personal Message (Offline)
Re: Funeral Ceremony email: evnih.exe trojan
« Reply #10 on: February 02, 2014, 08:06:26 PM »
Quote
Do you think it's safe to resume those activities now?


Your PC is clean, you can be free of worries.

Malware is gone in Honolulu  :D
C:\Users\cherie\Documents\FuneralCeremony_Honolulu_96825\FuneralCeremony_Honolulu_96825.exe

https://www.virustotal.com/en/file/f349fa94dd8ca37ec7d405b78b2f048186f1961cf121b8f17e020f8e62649dba/analysis/




Please download DelFix by "Xplode" to your Desktop.

Run the tool and check the following boxes below;
  • Remove disinfection tools
  • Create registry backup
  • Purge System Restore

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now