Help with malware!

[kareema]

Hi I've followed some of the instruction about removing...

 C:\explorer.exe (Worm.AutoRun) ->
C:\WINDOWS\system32\cffmon.exe (Backdoor.Bot) ->

 Avast keeps sending alerts about it. I also run the scan but I'm kind lost as to what to do next. I tried to look up some threads to see what people do about it but i've i haven't found anything... there is too much info! 

I've attached the logs files for anyone to look at.
Would appreciate some feedback thanks
I ran malwarebytes and OTL

[Pondus]

your Malwarebytes scan was done with an old database (3930) Latest database is 4046
MBAM is updated several times a day so always run update before you scan

[kareema]

First of all thank you for responding so quick didn't think it would be so quick. As i'm typing this I'm updating Malwarebytes at this very instant! So I guess I have to run a scan again. I'll attach the log as soon as so you can have a look if it's no biggy I understand that you guys have alot to do so I'll be patient. thank you again
BTW I'm not tech person but I do know some basics.
 

[essexboy]

Hi lets try this

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [WindowsDefender] C:\WINDOWS\system32\vcmxqbd.exe ()
O4 - HKCU..\Run: [Com32] C:\WINDOWS\system32\vcmxqbd.exe ()
O4 - HKCU..\RunServicesOnce: [LogServ] C:\WINDOWS\system32\vcmxqbd.exe ()
F3 - HKCU WinNT: Load - (C:\windows\system32\vcmxqbd.exe) - C:\WINDOWS\system32\vcmxqbd.exe ()
O20 - HKLM Winlogon: UserInit - (C:\windows\system32\vcmxqbd.exe) - C:\WINDOWS\system32\vcmxqbd.exe ()
O33 - MountPoints2\{6c6d5b2b-3e2d-11de-9cb2-0018de98dc40}\Shell\AutoRun\command - "" = FILES\REMOVED\BEST.exe
O33 - MountPoints2\{6c6d5b2b-3e2d-11de-9cb2-0018de98dc40}\Shell\open\command - "" = FILES\REMOVED\BEST.exe
O33 - MountPoints2\{6c6d5b2c-3e2d-11de-9cb2-0018de98dc40}\Shell\AutoRun\command - "" = FILES\REMOVED\BEST.exe
O33 - MountPoints2\{6c6d5b2c-3e2d-11de-9cb2-0018de98dc40}\Shell\open\command - "" = FILES\REMOVED\BEST.exe
[2001/08/23 11:30:00 | 000,434,176 | RHS- | M] () -- C:\explorer.exe

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\vcmxqbd.exe"=-

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[kareema]

Thanks alot for feedback but Avast is still giving me an alert about the explorer.exe Unfortunately.

[essexboy]

OK OTL was not quite strong enough for this one

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[kareema]

OK  so I ran the combofix.exe but I don't get a Combofix.txt instead I a got folder combofix and like 26.6mb it contains more folders exactly if I opened up 'My Computer' I see the same I've attached a picture of it and microsoft  message as well.

[kareema]

Can the log be anywhere else it does'nt show in C/:
Oh there is another folder called Qoobox containing 5 folders -Back env  -Lastrun -Quarantine - Test - Test C

[essexboy]

Qoobox contains the quarantined files and various backups

Could you delete your current copy of Combofix, download a fresh version and then run it

[kareema]

Sorry got the same thing again.

[essexboy]

OK different tool time 

Download avz4.zip from HERE

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.

• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.

• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

.
Upload both zip files to Mediafire and post the sharing link.

[kareema]

Hi so I've uploaded the files was having trouble uploading one of them(virusinfo_syscheck.zip) so I have to unzip  put it in a new folder and zip it back hope there no prob.
Here's the link for both files

http://www.mediafire.com/?sharekey=5de6cccaad38e92c6787958b30ba21400080192828272345a9a26c4ed87536eb

[essexboy]

On completion of this retry Combofix please

AVZ FIX

• Double click on AVZ.exe
• Click File > Custom scripts
• Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
  

Code: [Select]

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
SetAVZPMStatus(True);
 TerminateProcessByName('c:\windows\system32\vcmxqbd.exe');
 BC_DeleteFile('c:\windows\system32\vcmxqbd.exe');
 DeleteFile('c:\windows\system32\vcmxqbd.exe');
 BC_DeleteFile('C:\windows\system32\vcmxqbd.exe');
 DeleteFile('C:\windows\system32\vcmxqbd.exe');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','WindowsDefender');
 RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','Com32');
 RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\RunServicesOnce','LogServ');
 BC_DeleteFile('C:\explorer.exe');
 DeleteFile('C:\explorer.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

• Note: When you run the script, your PC will be restarted
• Click Run
• Restart your PC if it doesn't do it automatically.

[kareema]

I ran avz and combofix again. Go tthe log. I've attached for you.

[essexboy]

OK that does not look to bad - what problems do you have now ?