AutoIt malware - Problem and BIG confusion

Discussion in 'Malware Help (A Specialist Will Reply)' started by Peter Coyote, Nov 29, 2009.

  1. Peter Coyote

    Peter Coyote Private E-2

    Dear guys,

    Thank you in advance for spending time reading this thread.
    I am completely out of my mind because of the situation I have found myself in.

    Last weekend I decided to reinstall home desktop computer, but to install Linux distribution on it this time. As a quick and dirty workaround for properly setting up Samba sharing I have published the share to the guest (any) user with the full rights.

    Since that time I realized that one exe file and one file without extension are present in the root of the share. Strange thing...
    I archived the files and deleted them from the share. Afterwards I uploaded the file to virustotal.com and found out that it is a malware, called AutoIt by many AV software vendors.

    I am using Avira's free AV and Comodo's free firewall (part of their security suite). Until now I haven't experienced any strange behavior or security problem, but, to be honest, in my home (windows based) network I never had file sharing set without taking care about security etc...

    Anyway, I started installing and running all different anti malware products, but nothing has been found. Very strange thing... In the meantime, every now and then, a new exe file with one file without extension would show up in the file share... Executables are named with randomly chosen file names and are always with different sizes, but the files without extension are always either khv or khu.
    Executables are just placed there, they are not active, therefore they can be removed (which I did every time).
    I even checked the behaviour of some of those executables with SandBoxie program... I have identified which files and registry entries are modified inside of the sandbox, but none of these were modified inside of the real OS. This started to be insane...

    I decided to backup everything and to restore clean OS from the image, created some months ago, which I did today. As I updated this image with the windows updates published in the meantime, I was monitoring the file share because there was some amount of skepticism in me after unexplained problem I experienced.
    And there it happened at some point. One file reappeared and I was banging my head against the wall once again.

    Then I visited your forum, prepared myself and did the following.
    I have ran all the tools from your READ & RUN ME FIRST thread, the logs are attached to this and the next message, but let me tell you right away nothing is identified.

    I will also attach the pdf printouts of the virustotal.com result for the files I have saved and submitted.

    As an additional information I want just to mention that there are two more computers beside the one I suspect infected and the one installed with Linux. There is a personal laptop of my wife and my business laptop. My wife's computer has been reinstalled yesterday and is definitely clean which leaves only my business laptop to be checked. That I will do in the upcoming week.
    But anyway, I made some tests with the computers and had left the suspicious computer shut down for one whole day, while using other computers... No exe file appeared. In the first couple of hours after the suspicious computer has been powered on, exe files started to appear...

    I hope I could explain properly what the problem is, because English is not my mother language.

    Thank you one more time for your effort.

    Best regards,
    --
    Peter Coyote
     
    Peter Coyote, Nov 29, 2009
    #1
  2. Peter Coyote

    Peter Coyote Private E-2

    Dear guys,

    Please find attached the required logs together with the reports from virustotal.com

    Best regards,
    --
    Peter Coyote
     

    Attached Files:

    Peter Coyote, Nov 29, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The only thing that was found was in the MBAM log, which indicated that you took not action to fix it. All the rest of your logs are clean. You will have to tell me exactly what you are finding.

    You need to put combofix on your desktop where you were instructed to put it, not here:
    c:\downloads\ComboFix.exe
     
    TimW, Dec 1, 2009
    #3
  4. Peter Coyote

    Peter Coyote Private E-2

    Hi TimW!
    Thank you for your reply.

    Mbam suggested to fix the security center alert about automatic Windows Update being turned off, which I did on purpose.

    ComboFix did his job correctly. The only thing which failed was to contact download site for repair console during ComboFix session, but as ComboFix hasn't discovered any malware that wasn't a big deal, only an informational message.

    From my perspective, I would say that there's no malware infection on the mentioned computer anyway. It came to my mind that the infection could be coming from the "outside". This computer is in DMZ of the ADSL router and as I connect and use it remotely when I'm out of house many ports are forwarded to this machine. As I mentioned, as a temporary workaround, I established file sharing without asking for credentials for authentication. It seems that the files are dropped "from the other side of the router".

    Since I have configured correctly Samba on this machine, no strange behavior detected (couple of days already).

    Thank you very much for responding to my cries for help. :)

    Bye!
     
    Peter Coyote, Dec 2, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Dec 4, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds