Elex and Ghokswa Malware keeps coming back

[theerraticalien]

Hello,

I've been infected with malware named Elex and Ghokswa. I've tried to quarantine and or delete the virus with Malwarebytes but they will always reappear in future scans after rebooting or updating my computer. Attached below are the FRST and Addition text files. I've also attached a text file of my most recent scan.

Daniel

FRST.txt

Addition.txt

malwarebytes scan1.txt

Edited May 20, 2017 by theerraticalien
providing more information

[theerraticalien]

Please ignore the attached file named 'malwarebytes scan1', below is correct text file of my most recent scan on Malwarebytes.

malwarebytes scan1 corrected.txt

[kevinf80]

Hello theerraticalien and welcome to Malwarebytes,

Continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Next,

Download AdwCleaner by Xplode onto your Desktop. Or from this Mirror   Double click on Adwcleaner.exe to run the tool Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Emsisoft Emergency Kit Click Here to download Emsisoft Emergency Kit. The download will automatically start after a moment. Save EmsisoftEmergencyKit.exe to your Desktop. Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8/10 users: Accept UAC warning if it is enabled). A screen like this will appear:   Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\). Once the extraction is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.   Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:   Choose Yes, then wait for EEK to finish updating. Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes. Wait for the scan to finish.   If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected. If Emsisoft Emergency Kit asks to reboot, please do so immediately. The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.   Please Copy and Paste the contents of the scan log in your next reply. Let me see those logs, also tell me if there are any remaining issues or concerns... Kevin..

fixlist.txt

[theerraticalien]

Hello Kevin,

Thanks for the quick response!

I've done exactly what you instructed me to do in a chronological order of course. However, there is a .txt file on my desktop that is ominously titled 'elex'. I do not remember creating the text file myself and am unsure as to how to deal with this. The text file appeared on my desktop about 5 hours ago, which is after my first malwarebytes scan and before proceeding with your instructions.

Other than that, I've attached the Fixlog, Addition and my second scan result from Malwarebytes.

 

AdwCleaner Logs

# AdwCleaner v6.047 - Logfile created 20/05/2017 at 16:41:22
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-05-19.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Daniel - MEIN
# Running from : C:\Users\Daniel\Desktop\elex removal\adwcleaner_6.047.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder deleted: C:\Users\Daniel\AppData\Roaming\Firefox
[-] Folder deleted: C:\Users\Daniel\AppData\Local\Firefox

***** [ Files ] *****

[-] File deleted: C:\Users\Public\Documents\temp.dat
[-] File deleted: C:\Users\Public\Documents\report.dat

***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\CSHMDR
[#] Key deleted on reboot: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\CSHMDR
[-] Key deleted: HKLM\SOFTWARE\ScreenShot
[-] Key deleted: [x64] HKLM\SOFTWARE\InterSect Alliance
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost [WinSAPSvc]
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost [BIT]

***** [ Web browsers ] *****

[-] [C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default] [favicon_url] Deleted: hxxp://search.delta-homes.com/webfavicon.ico

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [12186 Bytes] - [28/04/2017 19:01:08]
C:\AdwCleaner\AdwCleaner[C2].txt - [1332 Bytes] - [28/04/2017 21:21:15]
C:\AdwCleaner\AdwCleaner[C3].txt - [2123 Bytes] - [04/05/2017 10:12:46]
C:\AdwCleaner\AdwCleaner[C4].txt - [1800 Bytes] - [20/05/2017 16:41:22]
C:\AdwCleaner\AdwCleaner[S1].txt - [16590 Bytes] - [13/10/2015 21:36:37]
C:\AdwCleaner\AdwCleaner[S2].txt - [11495 Bytes] - [28/04/2017 18:59:46]
C:\AdwCleaner\AdwCleaner[S3].txt - [1464 Bytes] - [28/04/2017 21:20:54]
C:\AdwCleaner\AdwCleaner[S4].txt - [2110 Bytes] - [04/05/2017 10:09:43]
C:\AdwCleaner\AdwCleaner[S5].txt - [2533 Bytes] - [20/05/2017 16:34:57]

########## EOF - C:\AdwCleaner\AdwCleaner[C4].txt - [2240 Bytes] ##########
 

Emsisoft Scan Logs

Emsisoft Emergency Kit - Version 2017.4
Last update: 20/5/2017 4:50:46 PM
User account: MEIN\Daniel
Computer name: MEIN
OS version: Windows 10x64 

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start:    20/5/2017 4:51:13 PM
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}     detected: Application.AdReg (A) [271424]
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}     detected: Application.AdReg (A) [271525]

Scanned    87007
Found    2

Scan end:    20/5/2017 5:00:02 PM
Scan time:    0:08:49

Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}     Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}     Application.AdReg (A)

Quarantined    2
 

Thanks for the help,

Daniel

 

Addition.txt

Fixlog.txt

malwarebytes scan2.txt

Edited May 20, 2017 by theerraticalien
minor detail missed

[kevinf80]

Hello Daniel,

Thanks for those logs, regarding the file named elex, Right click on that file > select > "Send to" > "Compressed (zipped) Folder" Attch to next reply..

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Let me see those logs in your reply....

Thank you,

Kevin.

[theerraticalien]

Hi Kevin,

I really appreciate the quick response,

Regarding FRST, do you want me to click 'Scan' or 'Fix'?

Also, attached is the zipped elex.txt file

Thanks,

Daniel

elex.zip

[kevinf80]

I want another set of logs Daniel, use scan function....

Quote

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Thanks,

Kevin

[kevinf80]

File "elex" is Malwarebytes log, you can safely delete that file...

[theerraticalien]

Hi Kevin,

Thanks for your help with the elex file.

Attached are the new FRST.txt and Addition.txt.

Daniel

Addition.txt

FRST.txt

[kevinf80]

Hiya Daniel...

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Let me know if there are any remaining issues or concerns...

Thank you,

Kevin....

fixlist.txt

[theerraticalien]

Hi Kevin,

Here is the fixlog.txt

Thanks,

Daniel

Fixlog.txt

[kevinf80]

How does your PC respond now, any issues or concerns...?

[theerraticalien]

Hi Kevin,

My recent scan showed no malware present.

Thanks for the help!

Daniel

[kevinf80]

Excellent, run the following to clean up...

Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked:   Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

 

[theerraticalien]

Thank you so much Kevin, I thought my computer was done for. I'll be sure to donate when I have the money.

Thanks again!

Daniel

[kevinf80]

Thanks for the update Daniel, comeback anytime....

Regards,

Kevin...

[theerraticalien]

Hi Kevin,

Some bad news. When I turned on my computer today, malwarebytes found the malware named Ghokswa again.

Please advise.

Thank you,

Daniel

2nd day malwarebytes scan.txt

[kevinf80]

That is indicating maybe a dropper is still on your system, hence the reinfection attempt... Continue with the following:

Download and save RogueKiller to your Desktop from this link: https://www.fosshub.com/RogueKiller.html/setup.exe Right click setup.exe and select Run as Administrator to start installing RogueKiller. At the next window Checkmark "Install 32 and 64 bit versions, then select "Next" In the next window skip Licence I.D. and Licence Key, select "Next" In the next window make no changes and select "Next" In the next window leave both "Additional Shortcuts" checkmarked, then select "Next" In the next window make no changes and select "Install" RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish. RogueKiller will launch. Accept UAC, then read and accept "User Agreements" In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes select "Open Report" In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply Let me see that log in your reply...   Thank you,   Kevin

[theerraticalien]

Hello Kevin,

I've attached the scan results. Do I remove the files found?

Thanks,

Daniel

edit: oh god, I'm getting pop up ads on chrome now.

RK.txt

Edited May 22, 2017 by theerraticalien
information

[kevinf80]

Yes please delete all found entries, when complete re-boot... Run Malwarebytes again..

Post those logs..

[theerraticalien]

Here are the Malwarebytes scan results. No threats were found.

2nd day malwarebytes scan2.txt

[kevinf80]

Thanks for that log, I want you to complete another couple of tasks to see if we are missing a dropper that maybe is reinfectiong your system...

Reset your router, instructons available at the following link: http://setuprouter.com/networking/how-to-reset-your-router/ Follow those instructions very carefully. Next, Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary. Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper   Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool, For XP just double click to run. From the left hand pane select "Flush DNS" From the main interface select the dropdown under "Choose a DNS Server" From the list select either "Google Public DNS" or "Open DNS" From the left hand pane select "Apply DNS" When done re-boot your system.... Next, Scan with HitmanPro In any case don't remove on your own anything that Hitman Pro detects! This scanner is really good for checking, it has however been known for deleting files instead of curing them, in some cases this may render the machine unbootable. Any removals will be done manually after careful analysis of the scan results! Please download HitmanPro by SurfRight and save it to your desktop. Temporary disable your AntiVirus and AntiSpyware protection - instructions here.   Right-click on icon and select Run as Administrator to start the tool. If the program won't run please run it while holding down the left CTRL key until it's loaded! Click on the Next button. You must agree with the terms of EULA (if asked). Check the box beside No, I only want to perform a one-time scan to check this computer. Click on the Next button. The program will start to scan the computer. It would only take several minutes. When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore. If there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro!Navigate to C:\ProgramData\HitmanPro\Logs, open the report and include it it your next reply. Click on the Next button. Click on the Save Log button. Save that file to your desktop. Please include that logfile in your next reply. Don't forget to re-enable your security! Let me see that log from HitmanPro... Thank you, Kevin

[theerraticalien]

I think my hitmanpro's trial has expired :/

should i proceed with the first set of instructions?

Edited May 22, 2017 by theerraticalien
.

[kevinf80]

Will Hitman not do a scan..?

[theerraticalien]

Oh right, my bad. It still scans, yes. I'll proceed with the instructions.