argzip
Members-
Posts
10 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by argzip
-
Poweliks, etc. - appears my computer is infected
argzip replied to argzip's topic in Resolved Malware Removal Logs
I think we are done, thanks for all your help! -
Poweliks, etc. - appears my computer is infected
argzip replied to argzip's topic in Resolved Malware Removal Logs
Seems to be running smoothly No evidence of the Trojan, or anything unusual. Thanks! -
Poweliks, etc. - appears my computer is infected
argzip replied to argzip's topic in Resolved Malware Removal Logs
RogueKiller and FRST are attached.. Thanks RKreport_DEL_10212014_143140.log FRST.txt -
Poweliks, etc. - appears my computer is infected
argzip replied to argzip's topic in Resolved Malware Removal Logs
RogueKiller log is attached..... RKreport_SCN_10212014_132156.log -
Poweliks, etc. - appears my computer is infected
argzip replied to argzip's topic in Resolved Malware Removal Logs
FRST will not run after clicking FIX. Windows (7) gives the "program has stopped working" message. Fixlist.txt is in the same folder as FSRT. -
Poweliks, etc. - appears my computer is infected
argzip replied to argzip's topic in Resolved Malware Removal Logs
Kevin, The logs are attached. Thanks ESET SCAN.txt Addition.txt FRST.txt -
Poweliks, etc. - appears my computer is infected
argzip replied to argzip's topic in Resolved Malware Removal Logs
Please see attached ComboFix text file. I also may have made a mistake - I deleted the Poweliks Trojan when RogueKiller detected it. I realized I did not follow your directions exactly after it was too late, sorry. However, the Malwarebytes blocking notifications of fff5ee.com and others have stopped. ComboFixLog.txt -
Poweliks, etc. - appears my computer is infected
argzip replied to argzip's topic in Resolved Malware Removal Logs
RKill: Rkill 2.6.8 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2014 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 10/20/2014 12:01:21 PM in x64 mode. Windows Version: Windows 7 Home Premium Service Pack 1 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * No malware processes found to kill. Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * No issues found. * No issues found. * No issues found. Checking Windows Service Integrity: * No issues found. Checking Windows Service Integrity: Checking Windows Service Integrity: * No issues found. Searching for Missing Digital Signatures: * No issues found. Searching for Missing Digital Signatures: Searching for Missing Digital Signatures: * No issues found. Checking HOSTS File: * No issues found. Program finished at: 10/20/2014 12:03:28 PM Execution time: 0 hours(s), 2 minute(s), and 7 seconds(s) * No issues found. Checking HOSTS File: * No issues found. Program finished at: 10/20/2014 12:03:28 PM Execution time: 0 hours(s), 4 minute(s), and 20 seconds(s) * No issues found. Checking HOSTS File: * No issues found. Program finished at: 10/20/2014 12:03:28 PM Execution time: 0 hours(s), 7 minute(s), and 8 seconds(s) RogueKiller: RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Home [Administrator] Mode : Scan -- Date : 10/20/2014 12:30:18 ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 16 ¤¤¤ [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5} : C:\Windows\test.bat -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3805995526-3241524187-455054265-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://yahoo.com/ -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3805995526-3241524187-455054265-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://yahoo.com/ -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3805995526-3241524187-455054265-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://yahoo.com/ -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3805995526-3241524187-455054265-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://yahoo.com/ -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 184.16.33.54 -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 184.16.33.54 -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 184.16.33.54 -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9B06CCA7-2ECA-4742-A628-46A7387A6520} | DhcpNameServer : 192.168.1.1 184.16.33.54 -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9B06CCA7-2ECA-4742-A628-46A7387A6520} | DhcpNameServer : 192.168.1.1 184.16.33.54 -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9B06CCA7-2ECA-4742-A628-46A7387A6520} | DhcpNameServer : 192.168.1.1 184.16.33.54 -> Found [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found [Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-3805995526-3241524187-455054265-1002\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Found ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 1 ¤¤¤ [suspicious.Path][File] Best Buy pc app.lnk -- C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [LNK@] C:\PROGRA~3\BESTBU~1\CLICKO~1.EXE "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" -> Found ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: ST31000528AS ATA Device +++++ --- User --- [MBR] 5141a8c3557b0fc8b94d42efd348e829 [bSP] 77dfb764539fae50b77dddc066f4970c : Windows Vista/7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 928093 MB 2 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 1900941312 | Size: 25675 MB User = LL1 ... OK User = LL2 ... OK -
Poweliks, etc. - appears my computer is infected
argzip replied to argzip's topic in Resolved Malware Removal Logs
I downloaded Fixlist.txt, ran FRST and clicked the Fix button once. I have attached the Fixlog.txt. FRST continues to say "Fixing is in progress, please wait...." It has been doing this for about 25 minutesThe Malwarebytes blocking pop ups continue about every few seconds. This is as far as I have gone Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 20-10-2014 Ran by Larry at 2014-10-20 10:45:31 Run:1 Running from C:\Users\Larry\Desktop\Malware Removal Tools Loaded Profiles: Home & Larry (Available profiles: Home & Larry & Rita & Anna & Guest) Boot Mode: Normal ============================================== Content of fixlist: ***************** Start HKLM\...\Run: [unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5}] => C:\Windows\test.bat C:\Windows\test.bat HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-3805995526-3241524187-455054265-1002\...\MountPoints2: {15176a33-4c0c-11e1-a970-4437e62020c4} - "E:\WD SmartWare.exe" autoplay=true HKU\S-1-5-21-3805995526-3241524187-455054265-1002\...A8F59079A8D5}\localserver32: <==== ATTENTION! C:\Users\Larry\AppData\Local\Temp\MSETUP4.EXE C:\Users\Larry\AppData\Local\Temp\SearchWithGoogleUpdate.exe Task: C:\windows\Tasks\Adobe Flash Player Updater.job => ? Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => ? Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => ? EmptyTemp: End ***************** HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5} => Value could not be deleted. "C:\Windows\test.bat" => File/Directory not found. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value could not be deleted. "HKU\S-1-5-21-3805995526-3241524187-455054265-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{15176a33-4c0c-11e1-a970-4437e62020c4}" => Key not found. "HKCR\CLSID\{15176a33-4c0c-11e1-a970-4437e62020c4}" => Key not found. "HKU\S-1-5-21-3805995526-3241524187-455054265-1002\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key not found. "HKU\S-1-5-21-3805995526-3241524187-455054265-1002\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found. C:\Users\Larry\AppData\Local\Temp\MSETUP4.EXE => Moved successfully. C:\Users\Larry\AppData\Local\Temp\SearchWithGoogleUpdate.exe => Moved successfully. Could not move "C:\windows\Tasks\Adobe Flash Player Updater.job" => Scheduled to move on reboot. Could not move "C:\windows\Tasks\GoogleUpdateTaskMachineCore.job" => Scheduled to move on reboot. Could not move "C:\windows\Tasks\GoogleUpdateTaskMachineUA.job" => Scheduled to move on reboot.