[totalcarecomplete247.info]

Looks like things are back to normal.  The "desktop.ini" icons went away when I re-hid the system files;  no more uncommanded browser scrolling;  and, total care complete 247 hasn't been back.  Your preventive maintenance tips are good and I follow those routinely.  Too bad my son doesn't.  Thanks again for your expert advice...I put a little in your paypal sack...the next drink's on me!

[totalcarecomplete247.info]

Well sir, the second scan gave the same blank txt report in notebook.   I did notice a lot of path not found entries as the program ran...don't know if that's relevant.

[totalcarecomplete247.info]

Thanks...

[totalcarecomplete247.info]

The program ran but the log was an empty text file...I'll try it again.

[totalcarecomplete247.info]

Do I run this security scan with Norton/Malwarebytes enabled or disabled?

[totalcarecomplete247.info]

I meant to say it appears that the FRST fix took care of the scrolling issue...thanks, all appears normal...so far 

[totalcarecomplete247.info]

It appears that the "fix" got rid of the scrolling to the bottom of the page issues I was having with both Thunderbird and Chrome.  When we get to the cleanup phase I'd like your opinion on this:  sometime during the first round of scans with the various programs two "desktop.ini" icons appeared on my desktop (one from 2011, the other from 2013).  Is it safe to delete these?

[totalcarecomplete247.info]

Here's the log...

Fixlog.txt

[totalcarecomplete247.info]

OK......also, zoek is raising cain with mozilla thunderbird so the sooner we can get rid of it the sooner the wife will let me off the hook 

FRST.txt

Addition.txt

[totalcarecomplete247.info]

zoek has gone bonkers.  It ran for ten minutes then froze when it got to C:\Users\Public\Desktop DB Check.  I gave up on it after letting it run for another 40 minutes.  I tried to close the program using the X close button, but the program kept coming back to the freeze point.  Finally, after two hours plus I used Cont+Alt+Delete to try to shut it down with no luck

[totalcarecomplete247.info]

Here's the results...

 

Fix result of Farbar Recovery Scan Tool (x86) Version:21-08-2015

Ran by Al & Mindy (2015-08-21 21:33:34) Run:1

Running from C:\Users\Al & Mindy\Desktop\MB8-20

Loaded Profiles: Al & Mindy (Available Profiles: Al & Mindy & UpdatusUser)

Boot Mode: Normal

 

==============================================

 

fixlist content:

*****************

CreateRestorePoint:

Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]

GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

GroupPolicyScripts: Group Policy detected <======= ATTENTION

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

HKU\S-1-5-21-4019566695-2349307630-1478826107-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

SearchScopes: HKU\S-1-5-19 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}

SearchScopes: HKU\S-1-5-20 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}

BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Security Suite\Norton Security Suite\Engine\21.7.0.11\IPS\IPSBHO.DLL No File

Toolbar: HKU\S-1-5-21-4019566695-2349307630-1478826107-1000 -> No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File

FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2014-02-11] (Coupons, Inc.)

CHR Extension: (No Name) - C:\Users\Al & Mindy\AppData\Local\Google\Chrome\User Data\Default\Extensions\balimbofoedmklhpnchbgmlfipgpbjnl [2015-07-08]

CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx

S2 SessionLauncher; C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [X]

CustomCLSID: HKU\S-1-5-21-4019566695-2349307630-1478826107-1000_Classes\CLSID\{994B47B9-7DB9-5058-EE22-08DD039ADC4B}\InprocServer32 -> {1FE960F5-9468-D082-A3F0-98EE85889A47} No File

CustomCLSID: HKU\S-1-5-21-4019566695-2349307630-1478826107-1000_Classes\CLSID\{DD0822EE-9A03-4BDC-B947-4B99B97D5850}\InprocServer32 -> {46CC2438-9468-D082-6EB4-BDB785889A47} No File

AlternateDataStreams: C:\Users\Al & Mindy\BCHW - Feburary Mount St. Helens Chapter newsletter.eml:OECustomProperty

AlternateDataStreams: C:\Users\Al & Mindy\Bells Mountain Trail.eml:OECustomProperty

AlternateDataStreams: C:\Users\Al & Mindy\Fwd- Bells Mountain Trail - Copy (1).eml:OECustomProperty

AlternateDataStreams: C:\Users\Al & Mindy\Fwd- Bells Mountain Trail.eml:OECustomProperty

AlternateDataStreams: C:\Users\Public\.DS_Store:AFP_AfpInfo

 

*****************

 

Restore point was successfully created.

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully.

C:\Windows\system32\GroupPolicy\Machine => moved successfully

C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully

"C:\Windows\system32\GroupPolicy\Machine" => File/Folder not found.

"HKLM\SOFTWARE\Policies\Google" => key removed successfully.

"HKU\S-1-5-21-4019566695-2349307630-1478826107-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.

"HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" => key removed successfully.

HKCR\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => key not found. 

"HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" => key removed successfully.

HKCR\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => key not found. 

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully.

"HKCR\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully.

HKU\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} => value removed successfully.

HKCR\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E} => key not found. 

"HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => key removed successfully.

C:\Program Files\mozilla firefox\browser\plugins\npMozCouponPrinter.dll => moved successfully

C:\Users\Al & Mindy\AppData\Local\Google\Chrome\User Data\Default\Extensions\balimbofoedmklhpnchbgmlfipgpbjnl => moved successfully

"HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => key removed successfully.

SessionLauncher => service removed successfully.

"HKU\S-1-5-21-4019566695-2349307630-1478826107-1000_Classes\CLSID\{994B47B9-7DB9-5058-EE22-08DD039ADC4B}" => key removed successfully.

"HKU\S-1-5-21-4019566695-2349307630-1478826107-1000_Classes\CLSID\{DD0822EE-9A03-4BDC-B947-4B99B97D5850}" => key removed successfully.

C:\Users\Al & Mindy\BCHW - Feburary Mount St. Helens Chapter newsletter.eml => ":OECustomProperty" ADS removed successfully..

C:\Users\Al & Mindy\Bells Mountain Trail.eml => ":OECustomProperty" ADS removed successfully..

C:\Users\Al & Mindy\Fwd- Bells Mountain Trail - Copy (1).eml => ":OECustomProperty" ADS removed successfully..

C:\Users\Al & Mindy\Fwd- Bells Mountain Trail.eml => ":OECustomProperty" ADS removed successfully..

C:\Users\Public\.DS_Store => ":AFP_AfpInfo" ADS removed successfully..

 

 

The system needed a reboot.

 

==== End of Fixlog 21:34:19 ====

 

 

# AdwCleaner v5.003 - Logfile created 21/08/2015 at 21:46:43

# Updated 20/08/2015 by Xplode

# Database : 2015-08-20.1 [server]

# Operating system : Windows Vista Ultimate Service Pack 2 (x86)

# Username : Al & Mindy - RUSTRANCH

# Running from : C:\Users\Al & Mindy\Desktop\MB8-20\AdwCleaner.exe

# Option : Scan

 

***** [ Services ] *****

 

 

***** [ Folders ] *****

 

Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons

 

***** [ Files ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Scheduled tasks ] *****

 

 

***** [ Registry ] *****

 

 

***** [ Web browsers ] *****

 

[C:\Users\Al & Mindy\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Default_Search_Provider_Data] Found : {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}{google:contextualSearchVersion}ie={inputEncoding}","usage_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_bit":true,"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"manifest_permissions":[]},"app_launcher_ordinal":"n","commands":{},"creation_flags":1,"events":[],"from_bookmark":false,"from_webstore":false,"install_time":"13042140344411000","last_launch_time":"13084222849287800","location":5,"manifest":{"app":{"launch":{"web_url":"hxxps://chrome.google.com/webstore"},"urls":["hxxps://chrome.google.com/webstore"]},"description":"Chrome Web Store","icons":{"128":"webstore_icon_128.png","16":"webstore_icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtl3tO0osjuzRsf6xtD2SKxPlTfuoy7AWoObysitBPvH5fE1NaAA1/2JkPWkVDhdLBWLaIBPYeXbzlHp3y4Vv/4XG+aN5qFE3z+1RU/NqkzVYHtIpVScf3DjTYtKVL66mzVGijSoAIwbFCC3LpGdaoe6Q1rSRDp76wR6jjFzsYwQIDAQAB","name":"Store","permissions":["webstorePrivate","management"],"version":"0.2"},"page_ordinal":"n","path":"C:\\Program Files\\Google\\Chrome\\Application\\29.0.1547.66\\resources\\web_store","was_installed_by_default":false},"aohghmighlieiainnegkcijnfilokake":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"w","commands":{},"content_settings":[],"creation_flags":137,"disable_reasons":1,"events":[],"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"has_declarative_rules":false,"incognito_content_settings":[],"incognito_preferences":{},"initial_keybindings_set":true,"install_time":"13067493018921800","lastpingday":"13084613983883651","location":1,"manifest":{"api_console_project_id":"619683526622","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en_US","default_locale":"en_US","description":"Create and edit documents ","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJhLK6fk/BWTEvJhywpk7jDe4A2r0bGXGOLZW4/AdBp3IiD9o9nx4YjLAtv0tIPxi7MvFd/GUUbQBwHT5wQWONJj1z/0Rc2qBkiJA0yqXh42p0snuA8dCfdlhOLsp7/XTMEwAVasjV5hC4awl78eKfJYlZ+8fM/UldLWJ/51iBQwIDAQAB","manifest_version":2,"name":"Google Docs","offline_enabled":true,"update_url":"hxxps://clients2.google.com/service/update2/crx","version":"0.9"},"page_ordinal":"n","path":"aohghmighlieiainnegkcijnfilokake\\0.9_0","preferences":{},"regular_only_preferences":{},"state":0,"was_installed_by_default":true,"was_installed_by_oem":false},"apdfllckaahabafndbhieahigkjlhalf":{"ack_external":true,"active_bit":false,"active_permissions":{"api":["background","clipboardRead","clipboardWrite","notifications","unlimitedStorage"],"manifest_permissions":[]},"app_launcher_ordinal":"x","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":["background","clipboardRead","clipboardWrite","notifications","unlimitedStorage"],"manifest_permissions":[]},"has_declarative_rules":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13081623576698600","last_active_pingday":"13063795186262538","last_launch_time":"13063851359047538","lastpingday":"13084613983883651","location":1,"manifest":{"app":{"launch":{"web_url":"hxxps://drive.google.com/?usp=chrome_app"},"urls":["hxxp://docs.google.com/","hxxp://drive.google.com/","hxxps://docs.google.com/","hxxps://drive.google.com/"]},"background":{"allow_js_access":false},"current_locale":"en_US","default_locale":"en_US","description":"Google Drive: create, share and keep all your stuff in one place.","icons":{"128":"128.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIl5KlKwL2TSkntkpY3naLLz5jsN0YwjhZyObcTOK6Nda4Ie21KRqZau9lx5SHcLh7pE2/S9OiArb+na2dn7YK5EvH+aRXS1ec3uxVlBhqLdnleVgwgwlg5fH95I52IeHcoeK6pR4hW/Nv39GNlI/Uqk6O6GBCCsAxYrdxww9BiQIDAQAB","manifest_version":2,"name":"Google Drive","offline_enabled":true,"options_page":"hxxps://drive.google.com/settings","permissions":["background","clipboardRead","clipboardWrite","notifications","unlimitedStorage"],"update_url":"hxxps://clients2.google.com/service/update2/crx","version":"14.0"},"page_ordinal":"n","path":"apdfllckaahabafndbhieahigkjlhalf\\14.0_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false},"balimbofoedmklhpnchbgmlfipgpbjnl":{"ack_settings_bubble":true,"active_permissions":{"api":["cookies","searchProvider","storage","tabs","unlimitedStorage"],"explicit_host":["hxxp://*/*","hxxps://*/*"],"manifest_permissions":[]},"blacklist_state":3,"commands":{},"content_settings":[],"creation_flags":9,"disable_reasons":1,"events":[],"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":["cookies","searchProvider","storage","tabs","unlimitedStorage"],"explicit_host":["hxxp://*/*","hxxps://*/*"],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"initial_keybindings_set":true,"install_time":"13079137717632000","lastpingday":"13084613983883651","location":1,"manifest":{"background":{"scripts":["/extensions_base/basejs/jquery-1.9.1.js","/extensions_base/basejs/products/zooms_musixlib_parameters_ds.js","/extensions_base/basejs/base.js","background.js"]},"chrome_settings_overrides":{"search_provider":{"alternate_urls":[],"encoding":"UTF-8","favicon_url":"hxxp://www.gozooms.com/images/favicon.ico","image_url":"hxxp://zooms.searchalgo.com/search/?category=images&q={searchTerms}

 

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [6647 bytes] ##########

 

 

I ran JRT three times but it would not generate a report.  The program self closed each time as it was checking the registry.  Also, is it normal for this program to start off stating that "the system could not find the desired path" multiple times before it started the "create a restore point"?

 

Here's the MB threat scan txt:

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 8/21/2015

Scan Time: 10:18:56 PM

Logfile: MBscan 8-21.txt

Administrator: Yes

 

Version: 2.1.8.1057

Malware Database: v2015.08.21.09

Rootkit Database: v2015.08.16.01

License: Premium

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Enabled

 

OS: Windows Vista Service Pack 2

CPU: x86

File System: NTFS

User: Al & Mindy

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 465062

Time Elapsed: 23 min, 49 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

I am puzzled that this scan indicates that Malware Protection and Malicious Website Protection are Disabled?  I doubled checked my settings in Malwarebytes and they show both of these settings to be Enabled.

 

 

 

[totalcarecomplete247.info]

MR C...not that I don't like talking to ya, but I was hoping after the last two malware problems I had last year that I was done with needing your help.  Anyway, here's the info...

 

Rouge Killer:

 

 

RogueKiller V10.10.1.0 [Aug 17 2015] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User : Al & Mindy [Administrator]

Started from : C:\Users\Al & Mindy\Desktop\MB8-20\RogueKiller.exe

Mode : Scan -- Date : 08/21/2015 09:47:30

 

¤¤¤ Processes : 0 ¤¤¤

 

¤¤¤ Registry : 18 ¤¤¤

[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found

[PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555  -> Found

[PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555  -> Found

[PUM.SearchPage] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 ([(Private Address) (XX)])  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 ([(Private Address) (XX)])  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 ([(Private Address) (XX)])  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> Found

 

¤¤¤ Tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ Hosts File : 1 ¤¤¤

[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

 

¤¤¤ Antirootkit : 44 (Driver: Loaded) ¤¤¤

[sSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x41e1357571000000

[sSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x41e1357589000000

[sSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[18] : Unknown @ 0x41e12ed8fc000000

[sSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[21] : Unknown @ 0x41e1241be7000000

[sSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[42] : Unknown @ 0x41e135747f000000

[sSDT:Addr(Hook.SSDT)] NtCreateMutant[67] : Unknown @ 0x41e1357527000000

[sSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[77] : Unknown @ 0x41e135742f000000

[sSDT:Addr(Hook.SSDT)] NtCreateThread[78] : Unknown @ 0x41e1357408000000

[sSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[116] : Unknown @ 0x41e1357497000000

[sSDT:Addr(Hook.SSDT)] NtDuplicateObject[129] : Unknown @ 0x41e12ed92e000000

[sSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[147] : Unknown @ 0x41e12ed8c8000000

[sSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[156] : Unknown @ 0x41e1357541000000

[sSDT:Addr(Hook.SSDT)] NtImpersonateThread[158] : Unknown @ 0x41e1357559000000

[sSDT:Addr(Hook.SSDT)] NtLoadDriver[165] : Unknown @ 0x41e13574c7000000

[sSDT:Addr(Hook.SSDT)] NtMapViewOfSection[177] : Unknown @ 0x41e12ed8ac000000

[sSDT:Addr(Hook.SSDT)] NtOpenEvent[184] : Unknown @ 0x41e135750f000000

[sSDT:Addr(Hook.SSDT)] NtOpenProcess[194] : Unknown @ 0x41e12ca2d2000000

[sSDT:Addr(Hook.SSDT)] NtOpenProcessToken[195] : Unknown @ 0x41e12ed916000000

[sSDT:Addr(Hook.SSDT)] NtOpenSection[197] : Unknown @ 0x41e13574df000000

[sSDT:Addr(Hook.SSDT)] NtOpenThread[201] : Unknown @ 0x41e12ed948000000

[sSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[210] : Unknown @ 0x41e1357465000000

[sSDT:Addr(Hook.SSDT)] NtQueueApcThread[255] : Unknown @ 0x41e13677e7000000

[sSDT:Addr(Hook.SSDT)] NtReadVirtualMemory[261] : Unknown @ 0x41e13677cd000000

[sSDT:Addr(Hook.SSDT)] NtResumeThread[282] : Unknown @ 0x41e13575a1000000

[sSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x41e13575e9000000

[sSDT:Addr(Hook.SSDT)] NtSetInformationProcess[305] : Unknown @ 0x41e12ed87a000000

[sSDT:Addr(Hook.SSDT)] NtSetSystemInformation[317] : Unknown @ 0x41e13574af000000

[sSDT:Addr(Hook.SSDT)] NtSuspendProcess[330] : Unknown @ 0x41e13574f7000000

[sSDT:Addr(Hook.SSDT)] NtSuspendThread[331] : Unknown @ 0x41e13575b9000000

[sSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x41e12ed806000000

[sSDT:Addr(Hook.SSDT)] unknown[335] : Unknown @ 0x41e13575d1000000

[sSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[348] : Unknown @ 0x41e12ed894000000

[sSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[358] : Unknown @ 0x41e12ed8e2000000

[sSDT:Addr(Hook.SSDT)] NtCreateThreadEx[382] : Unknown @ 0x41e1357449000000

[shwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[317] : Unknown @ 0x41e0ef3336000000

[shwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[397] : Unknown @ 0x41e0ef3541000000

[shwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[428] : Unknown @ 0x41e0ef3529000000

[shwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[430] : Unknown @ 0x41e0ef3559000000

[shwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[442] : Unknown @ 0x41e0ef3571000000

[shwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[479] : Unknown @ 0x41e0ef34d4000000

[shwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[497] : Unknown @ 0x41e0ef350f000000

[shwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[498] : Unknown @ 0x41e0ef34ee000000

[shwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x41e0ef333d000000

[shwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x41e0ef3691000000

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: ARRAY +++++

--- User ---

[MBR] aba52d45b8e1f2adf216397c6e932b8c

[bSP] 15aa431f21a280c81d2601e5a5773708 : HP MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 MB

1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 129024 | Size: 15360 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31586304 | Size: 525312 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1107425280 | Size: 174666 MB

User = LL1 ... OK

Error reading LL2 MBR! ([57] The parameter is incorrect. )

 

+++++ PhysicalDrive1: Seagate FA GoFlex Desk USB Device +++++

--- User ---

[MBR] 15185c225eb6fb0a3de71f124a83710c

[bSP] adb3bbbedcdedb86cfcfedec2cb79c0a : Empty|VT.Unknown MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB [Windows XP Bootstrap | Windows XP Bootloader]

User = LL1 ... OK

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive2: DELL USB   HS-CF Card USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive3: DELL USB   HS-xD/SM USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive4: DELL USB   HS-MS Card USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive5: DELL USB   HS-SD Card USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive6: Canon MX870 series USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

Addition.txt

FRST.txt

rk_7CB8.tmp.txt

scan 8-20a.txt

scan 8-20b.txt

[totalcarecomplete247.info]

I didn't get a screen shot of the "Warning" splash screen but it is the same as EricLee posted (see his post of 0635 today titled Remove"Windozssupport247.info".  One difference is that mine shows the URL as "totalcarecomplete247.info".  It's the same old 'you may have a virus' BS that pops up from time to time...'call tech support @...'  

 

Ctrl+Alt+Delete worked fine but I'd like to remove this #!*% with your help.  Thanks!

[Trojan.Poweliks!gm]

PayPal didn't work last night...I'll try again.

 

So far, so good!

[Trojan.Poweliks!gm]

Looks as if I got rid of all the tools, with the exception of MBAR.  When I try to delete it from my desktop a msg tells me that I need permission to do it?  Any ideas?

 

I'll review you Prev. Mx tips again, but with a 28 yr old son who does a lot of surfing...

 

Have a beverage of your choice on me via PayPal!

[Trojan.Poweliks!gm]

no luck...hangs up at the same place...waited 20 minutes

[Trojan.Poweliks!gm]

OK, got Security Check going.  It seems to have stopped working although Task Mgr says it's running.  For the last 20 minutes it has been "Performing System Health Check".  Is this normal?  I don't hear the hard drive spinning and CPU use is less than 10%.

[Trojan.Poweliks!gm]

Working on it MrC...as I was downloading Security Check the computer started acting up (downloads section froze and no other windows would open (not responding).  Then all my icons disappeared from the desktop.  They finally came back a few minutes later and then disappeared again.  My desktop was unresponsive so I shut down the system with the power button.  After restart the computer started a CHKDSK program.  Get the scan done as soon as things get back to normal...soon I hope!

[Trojan.Poweliks!gm]

More tinkering and found a way to get the info to the clipboard:

 

Filename: 00017421.tmp.xbad

Threat name: Trojan.Poweliks!gm

Full Path: c:\frst\quarantine\c\windows\system32\00017421.tmp.xbad

 

____________________________

 

 

 

Details

Unknown Community Usage,  Unknown Age,  Risk High

 

 

 

 

 

Origin

Downloaded from

 Unknown

 

 

 

 

 

Activity

Actions performed: 98

 

 

 

____________________________

 

 

 

On computers as of 

Not Available

 

 

Last Used 

11/13/2014 at 11:33:29 AM

 

 

Startup Item 

No

 

 

Launched 

No

 

 

____________________________

 

 

Unknown

It is unknown how many users in the Norton Community have used this file.

 

Unknown

This file release is currently not known.

 

High

This file risk is high.

 

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.

 

 

 

____________________________

 

 

 

Source: External Media

 

 

 

____________________________

 

File Actions

 

File: c:\frst\quarantine\c\windows\system32\ 00017421.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00024626.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00009741.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00016118.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00024084.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00008723.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00022929.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00012859.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00016944.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00027644.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00015890.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00014771.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00016827.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00027529.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00032439.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00031101.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00025667.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00025547.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00007711.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00015141.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00027446.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00012623.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00005537.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019629.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00009961.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00029658.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00022648.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00011942.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019895.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00018756.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00026777.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00020037.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00026308.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00031115.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019954.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00017673.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00005829.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00016541.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00022386.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00023811.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019718.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00021538.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00006270.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00031322.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00009894.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00007376.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00006729.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00011840.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00013977.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00032391.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00028253.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00032757.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019072.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00013931.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00030333.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00015350.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00009040.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00023805.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ yhyfaule.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00011323.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00011538.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00012382.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00015573.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019264.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00026299.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00024393.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019912.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00022190.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00009930.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00028703.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00032662.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00006868.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00015006.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00018716.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00030106.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00026924.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00022704.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00021726.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00031673.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00014604.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00028745.tmp.xbad Removed

____________________________

 

Registry Actions

 

Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1005\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-19\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-20\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed

Registry change: HKEY_USERS\.DEFAULT\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed

Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1005\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed

Registry change: HKEY_USERS\S-1-5-19\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed

Registry change: HKEY_USERS\S-1-5-20\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed

Registry change: HKEY_USERS\.DEFAULT\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed

Registry change: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed

Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1005\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-19\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-20\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed

Registry change: HKEY_USERS\.DEFAULT\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed

Registry change: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed

____________________________

 

 

File Thumbprint - SHA:

33035762c5d37e4ea67d82d13e8d1e9e23ff8b5c26452d70651da04ca14a3333

File Thumbprint - MD5:

Not available

[Trojan.Poweliks!gm]

Cant' get a text file except in binary form.  I can't open .mcf files, but I tried to attach Norton's Quarantine Log in that format. Unfortunately, I get an error msg: "you aren't permitted to upload this kind of file".

 

 Essentially, the log shows that Trojan.Poweliks!gm was detected by their Auto-Detect mode and was Quarantined FOUR times today (45 times yesterday).

 

The file names today were:  00017421.tmp.xbad  

                                            00012316.tmp.xbad

                                            00017035.tmp

                                            00024370.tmp 

 

 

 

 

 

[Trojan.Poweliks!gm]

Ran JRT twice, but neither run generated a log.  Redownloaded JRT and ran it again with the same result--no log.  In all three runs neither the "Registry B/U" check nor the "Start-up" showed any result except:  "cannot find the specified path".  Going down the rest of the categories the program closed after it had spent a minute or so checking the "Registry" category.

 

Threat scan showed no problems.  The multiple dlls have not shown up so far today.  It's interesting, though, that Norton360 was still advising me this morning that it was detecting the malware

[Trojan.Poweliks!gm]

# AdwCleaner v4.101 - Report created 13/11/2014 at 10:58:15

# Updated 09/11/2014 by Xplode

# Database : 2014-11-12.2 [Live]

# Operating System : Windows Vista Ultimate Service Pack 2 (32 bits)

# Username : Al & Mindy - RUSTRANCH

# Running from : C:\Users\Al & Mindy\Desktop\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Scheduled Tasks ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.7

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Coupon Printer for Windows5.0.0.7

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v9.0.8112.16584

 

 

-\\ Mozilla Firefox v33.1 (x86 en-US)

 

 

-\\ Google Chrome v38.0.2125.111

 

 

*************************

 

AdwCleaner[R0].txt - [1159 octets] - [13/11/2014 10:50:18]

AdwCleaner[s0].txt - [1086 octets] - [13/11/2014 10:58:15]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1146 octets] ##########

[Trojan.Poweliks!gm]

Ran MBAR...it found two infections in the Registry and the final step (CLEAN, I believe it said) seems to have deleted the problem files.  Next ran ESET...it found no problems.  Lastly, reran FRST and have attached the files.  One thing to note here, I use Norton 360 Antivirus.  The first time I ran FRST this morning there was no conflict.  Tonight Norton's Sonar sensor sent the FRST.exe file to quarantine when I tried to run the program.  I forced a Restore, turned off Norton and ran FRST.  

 

Seems like things are back to normal.  I'll recheck in the a.m. and get back to you.

 

Thanks

Addition.txt

FRST.txt

[Trojan.Poweliks!gm]

When I hit the reports button this web page came up also:  http://www.adlice.com/poweliks-removal-with-roguekiller/

 

I didn't follow the advice given as I'm going to stick with your analysis and see if we can lick this thing;  however, I didn't know if you had seen this linkl

 

 

tigzy Post author

10/24/2014 at 12 h 20 min

The process is the following:
– Scan with RogueKiller (do not close at the end!)
– Kill all dllhost processes
– Remove with RogueKiller
– Reboot immediately.

Some forum thread that may help: http://forum.adlice.com/index.php?topic=215.0

[Trojan.Poweliks!gm]

 

 

RogueKiller V10.0.5.0 [Nov 11 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Safe mode with network support

User : Al & Mindy [Administrator]

Mode : Scan -- Date : 11/12/2014  20:39:34

 

¤¤¤ Processes : 2 ¤¤¤

[Tr.Poweliks] dllhost.exe -- [x] -> Killed [TermProc]

[Tr.Poweliks] dllhost.exe -- C:\Windows\system32\dllhost.exe[7] -> Killed [TermThr]

 

¤¤¤ Registry : 28 ¤¤¤

[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD (\SystemRoot\system32\drivers\afd.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found

[PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555  -> Found

[PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555  -> Found

[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found

[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found

[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found

[PUM.SearchPage] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found

[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)]  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)]  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)]  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> Found

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_CFCE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_CFCE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

[Tr.Poweliks] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Found

 

¤¤¤ Tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ Hosts File : 1 ¤¤¤

[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

 

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0:  +++++

--- User ---

[MBR] aba52d45b8e1f2adf216397c6e932b8c

[bSP] 15aa431f21a280c81d2601e5a5773708 : HP MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 MB

1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 129024 | Size: 15360 MB

2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31586304 | Size: 525312 MB

3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1107425280 | Size: 174666 MB

User = LL1 ... OK

Error reading LL2 MBR! ([57] The parameter is incorrect. )

 

+++++ PhysicalDrive1:  +++++

--- User ---

[MBR] 15185c225eb6fb0a3de71f124a83710c

[bSP] adb3bbbedcdedb86cfcfedec2cb79c0a : Empty MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB

User = LL1 ... OK

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive2:  +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive3:  +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive4:  +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive5:  +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

 

============================================

RKreport_DEL_07082014_161306.log - RKreport_DEL_07082014_161932.log - RKreport_DEL_07082014_171247.log - RKreport_DEL_07112014_205900.log

RKreport_SCN_07062014_124132.log - RKreport_SCN_07082014_135217.log - RKreport_SCN_07082014_155330.log - RKreport_SCN_07082014_161843.log

RKreport_SCN_07082014_170715.log - RKreport_SCN_07082014_173605.log - RKreport_SCN_07092014_171156.log - RKreport_SCN_07112014_103613.log

RKreport_SCN_07112014_205735.log