Jump to content

Recommended Posts

My laptop got affected about 20 days ago when I used the free wifi from a hotel, then I had it looked at by Laptop Clinic, installed Malwarebytes, got rid of much of the viruses, I assume, then updated my windows system, installed Chrome for the hope of less glitches. But it appears that it still got some of the viruses yet to be rid of. First of all, my memory and CPU was eaten up by something unknown, which causes the sudden and really noisy spinning of the fan (never had that before), More importantly,somehow the viruses remain in the laptop and keep downloading malwares to my laptop, popping up windows saying flappy bird pc, etc., Several times I run the Malwarebytes and come back as clean but after a while malwares still show again all of a sudden.

 

From Malwarebytes protection log I found some of the details are:

Malicious Website Protection, IP, 31.184.192.213, Outbound, C:\Windows\SysWoW64\dllhost.exe

Malicious Website Protection, IP, 31.184.192.80, 1e90ff.com, Outbound, C:\Windows\SysWoW64\dllhost.exe

 

By the way, for no reasons at all, a window says "Host Process for Windows Services has stopped working" keeps showing from time to time, I guess it might be virus related (?)

Here is the problem details:

Problem signature:
  Problem Event Name: APPCRASH
  Application Name: svchost.exe
  Application Version: 6.1.7600.16385
  Application Timestamp: 4a5bc3c1
  Fault Module Name: ieframe.dll
  Fault Module Version: 11.0.9600.17280
  Fault Module Timestamp: 53f26cbd
  Exception Code: c0000005
  Exception Offset: 0000000000003fdf
  OS Version: 6.1.7601.2.1.0.768.3
  Locale ID: 1033
  Additional Information 1: a543
  Additional Information 2: a543757d90c8c9f795de5710a00a77fd
  Additional Information 3: a01d
  Additional Information 4: a01deda2367e2f1ef7c265b129bdc753
 
 
 
Thanks very much. I hope my information could be helpful to help get rid of the viruses. 
 
Cheers
Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Next,

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
Post back the report which should also be located here:
C:\Programdata\RogueKiller\Logs <-------- W7/8
C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

 

Let me see those logs in your next reply.

 

Thanks,

 

Kevin....

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Download Malwarebytes Anti-Malware to your desktop.


Double-click mbam-setup and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Launch Malwarebytes Anti-Malware
A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish.
On the Dashboard, click the 'Update Now >>' link
After the update completes Select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Now select > Scan > Threat scan > Scan now
When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
In most cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.

 


After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply.

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.


Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button.
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.


Shut down your protection software now to avoid potential conflicts. (re-enable when done)
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en'>https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

 

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window

In the "Scan Type" window, select Quick Scan

Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

 

1) Select the Windows key and R key together to open the "Run" function

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter

notepad c:\windows\debug\mrt.log

 

Let me see those logs in your next reply...

 

Kevin

 

 

 

 

Fixlist.txt

Link to post
Share on other sites

Hey, Kevin, 

 

Thanks a lot for the instruction.

 

The FRST kept running for about 5 or 6 hours and it always show "fixing in in progress". I did put the FRST and the fixlist.txt in the same location.  But later I found that a fixlog.txt was generated anyway and FRST was then terminated later by another software you asked me to run.

 

 

 

Link to post
Share on other sites

Your system was infected with Poweliks, This is a typical malware that targets the core system of Windows in order to complete its tasks. Trojan.Poweliks was made to execute a series of commands once it gets inside the system. It will gather data like system settings, Windows version, network configuration, and so on. Collected data will be sent to remote attacker for analysis.

When we are sure your system is clean you will definitely have to change all paswords that are used on this system.....

 

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin.

 

(To run ESET Online Scanner in a browser other than Internet Explorer, you'll need to download ESET SMART  Installer during the process)

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the following options are checked:
 
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
 
Select "Change" next to Current scan targets A new window will open, select any extra drives, Flash drives etc as required.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Next,

 

There appears to be no anti-virus protection installed on your system, that will leave you very prone to infection the same or similar to what has just been remove.

 

Install Microsoft Security Essentials at your earliest convenience: http://windows.microsoft.com/en-GB/windows/security-essentials-download

 

post the log from ESET, also let me know if there are any remaining issues or concerns.....

 

Kevin..

Link to post
Share on other sites

Hey, Kevin,

 

Many thanks to the advice.

 

I think I was a bit too optimistic about my laptop. There actually are many threats found from the ESET scanner, which has been running for almost 24 hours and is still in progress. I'll post the log here as soon as it's complete.

 

 

Cheers!

Link to post
Share on other sites

Hey, Kevin,

 

Sorry to bother you again.

 

I think right now I'm stuck between a rock and a hard place. The ESET scanner has been running for 4 days which is at least 90 hours, yet the progress bar is still at 44% since the 2nd day. So far it has scanned more than 4 million files and found 71 infected. I did turn off all other anti-virus programme but had to use my laptop sometimes for internet. I attach a screenshot for you. Can you give me some advice here?

 

 

Many thanks!

post-174246-0-22467700-1412536710_thumb.

Link to post
Share on other sites

If you are using the laptop during the scan it will freeze or lock up, it can also freeze when identifying infections that may/will try to protect themselves...

 

Stop the eset scan and run the following:

 

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

Image1.png

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

mbarwm.png

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

Image2.png

 

7. The following image opens, select Update

 

Image3.png

 

8. When the update completes select Next.

 

Image4.png

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

Image5.png

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

MBAntiRKcleanA.png

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

Image6.png

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 


      Internet access
       Windows Update
      Windows Firewall

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Thanks,

 

Kevin...

Link to post
Share on other sites

Hey, Kevin,

 

Thanks again for your reply.

 

I think I didn't quite express the matter very well. The ESET scanner didn't freeze or lock up. Well, it did 2 or 3 times but resumed scanning after some time. The scanning is ongoing because the number of files scanned keeps increasing. But the progress bar just never going beyond 44%. However, I still stop it because I don't want to sit in front of my laptop checking on the scanning during Christmas:-)(I'm afraid it might last that long)

 

I attach the ESET log it generated after exit.

 

The results from the MBAR scanning are also attached.

ESET.txt

system-log.txt

mbar-log-2014-10-05 (22-17-09).txt

Link to post
Share on other sites

thanks for the explanation, do the following:

 

Download tfc_icon.png TFC  to your desktop, from either of the following links

http://oldtimer.geekstogo.com/TFC.exe

http://itxassociates.com/OT-Tools/TFC.exe

 


  •    
  • Save any open work. TFC will close all open application windows.
       
  • Double-click TFC.exe to run the program. Vista or Windows 7 users accept the UAC alert.
       
  • If prompted, click "Yes" to reboot.

 

TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer than a couple of minutes, and may only take a few seconds.  TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

 

next,

 

Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop. (Scroll to bottom of page)

 

  • The file will be randomly named
  • Reboot to safe mode
  • Run Dr Web
  • Tick the I agree box and select continue
  • Click select objects for scanning
     
    drwebselect.JPG
     
  • Tick all boxes as shown
  • Click the wrench and select automatically apply actions to threats
     
    drwebfolders.JPG
     
  • Press start scan
  • The scan will now commence
     
    drwebscan.JPG
     
  • Once the scan has finished click open report
     
    drwebscancomplete.JPG
     
  • A notepad will open
  • Select File > Save as..
  • Save it to your desktop

 

This log will be excessive,  Attach it to your next reply…

 

Thanks,

 

Kevin..

Link to post
Share on other sites

Love the screenie.....

 

Download "Delfix by Xplode" and save it to your desktop.

 

Or use the following if first link is down:

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 


    Activate UAC
    Remove disinfection tools
    Create registry backup
    Purge System Restore
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

If no remaining issues or concerns are we ok to close out...

 

Kevin....

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.