Infected: Pyordono.a, Zpevdo.a, Obfuscator

Hello. Not sure how we got these, but Windows Defender messages started to come up saying that the subject malware was detected and quarantined. However, when I quickly installed MBAM to see if any remnants might be left, the MBAM real-time monitoring kept popping up saying that website after website was trying to be opened by the computer browser. So, it appears that WD may not have actually eradicated these.

I ran the RUN ME FIRST steps, and these logs are attached: AdwareCleaner, HitmanPro, Mbam, RogueKiller, as well as MGlogs.

As far as current behavior, I disconnected the computer from the internet to stop the MBAM notices that websites were attempting to launch; so it's not clear to me exactly what the computer would be doing right now if I re-connected it.

Many thanks for your help.

 

Thanks TimW. Attached is the new RK log. MBAM isn't popping up messages about any webpages trying to load. I then ran an MBAM scan, and no threats were found. So, is it really possible that RK was all that was necessary to get rid of all the malware WD detected? If so, Wow!

 

You're the best. Many thanks!

 

Oops - spoke too soon (?) I just received more Windows Defender messages, which I figured were the old notifications that need to be cleared, but there is a new one dated today - Fuerboos.A!cl. I'm wondering if this was found earlier, before your RK removal instructions, but I don't see a time notation in WD history. Any thoughts?

 

Attached is rklog from this morning. When I turned the computer on, WD did show another message dated today about Fuerboos.A!cl still being detected. MBAM doesn't seem to be noticing anything, and I don't think the computer is doing anything weird; then again, I'm not really using it much right now. I use both IE and Chrome on this computer -- probably mostly Chrome. Thanks!

 

Yes, there is a path shown in the WD message, but when I go there, even with all files/folders unhidden (incl protected system files), I don't see the file that the path is referencing. Here's the message from WD:

Trojan:Win32/Fuerboos.A!cl
Alert level: Severe
Status: Quarantined
Date: 7/4/2018
Recommended action: Remove threat now.
Category: Trojan
Details: This program is dangerous and executes commands from an attacker.
Affected Items:
file: C:\Users\**USER NAME**\AppData\Local\Comms\upaworsch.exe

 

Sorry, should have been more clear. Yes, I know what the user name is, and I am using the actual user name path (what I did was type in a placeholder for the user name before posting here). When I go to the actual path, the upaworsch.exe file is not actually there. (I do have all files and folders set as un-hidden.) I also did a search for the file at the AppData level, and it was not found anywhere.