Jump to content

Multiple dllhost.exe and I apparently have the Poweliks virus with a popup that states "Malicious Website Blocked


Tybeau

Recommended Posts

From everything I'm reading in other posts it appears that I may have the dreaded Poweliks virus.   I constantly have Malwarebytes blocking malicious website "fffSee.com and other IP addresses, as well as multiple dllhost.exe which are chewing up processor utilization.

I read other posts as well and have attempted to download Rogueware, however, I'm fairly certain that whatever this is is blocking any downloads now as well as I cannot download anything anymore.

I'm still running Vista on this computer...yes, it's old but its what I have. 

To protect myself I've disconnected that computer from the internet.  

Now what?  

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Thanks,

 

Kevin...

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

 

 

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

 

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

 

 

In most cases, a restart will be required.

 

 

Wait for the prompt to restart the computer to appear, then click on Yes.

 

 

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.


Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button.
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.


Shut down your protection software now to avoid potential conflicts. (re-enable when done)
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en'>https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

 

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window

In the "Scan Type" window, select Quick Scan

Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

 

1) Select the Windows key and R key together to open the "Run" function

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

 

notepad c:\windows\debug\mrt.log

 

Let me see those logs, also give an update on any remaining issues or concerns...

 

Thanks,

 

Kevin...

 

 

 

Fixlist.txt

Link to post
Share on other sites

Malwarebytes scan log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/20/2014
Scan Time: 7:17:04 PM
Logfile:
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.20.07
Rootkit Database: v2014.10.17.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Paul

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 341688
Time Elapsed: 32 min, 2 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

Last log file for you.  

Now, I only have one question.   Where did this come from?  

I'm not one who opens strange files or clicks on links that I don't know.

The good news is I'm not getting having any of the issues I reported initially.

Thanks for your help.  I bow in your general direction.

 

mrt.log

Link to post
Share on other sites

Thanks for the update and logs, read the following two links to understand more about the Poweliks Exploit/Infection:

 

http://www.ibtimes.co.uk/new-poweliks-stealth-fileless-malware-prowl-hides-within-your-systems-registry-undetected-1459738

 

https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html

 

Brief quote from second link gives the usual entry point for this nasty infection:

 

 

As the entry point, they exploit a vulnerability in Microsoft Word with the help of a crafted Word document they spread via email. The same approach would work with any other exploit.

 

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin.

 

(To run ESET Online Scanner in a browser other than Internet Explorer, you'll need to download ESET SMART  Installer during the process)

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the following options are checked:
 
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
 
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply. also give an update on any remaining issues or concerns....

 

Thanks,

 

Kevin...

Link to post
Share on other sites

Leave ESET, run DrWeb....

 

dr_web_cureit_zpse80d87bf.jpg

 


Please download Dr.Web CureIt! antivirus and save it to your computer. The file size is in excess of 100MB (scroll to bottom of page for free version)
NOTE: Free usage of Dr.Web CureIt! for business purposes is illegal.
Internet Explorer may show a warning when downloading - the file is safe to download from the provided link.
Shutdown your antivirus to avoid any conflicts while scanning.
Once the scans have completed please re-enable your antivirus.
If using Malwarebytes Anti-Malware PRO you can right click over the tray icon and disable the Protection Modules
If needed you can also temporarily disable it from starting with Windows
Temporarily turn off any other security add-ons or applications you may also have.
Once you have downloaded Dr.Web CureIt! you should right click over it and choose Properties and verify it has a Digital Signature.
If it does not have a Digital Signature then do not run it.
Close all open programs including all Web browsers and then double-click on drweb-cureit.exe to start the installer.
You should have your User Account Control (UAC) enabled for improved security and which should then produce a dialog box asking for approval to run the installer.
Click on the Yes button to start the installer.
Click OK to scan your computer in the Enhanced Protection Mode
Click on the check box to agree to participate in their software improvement program.
Then if needed choose your Language by clicking on the small globe like icon in the upper right corner by the wrench.
Then click on the Continue button and then click on the Select objects for scanning link just below the "Start scanning" button.
Place a check mark on all the items except for Temporary files and System restore points - those items should not have a check mark on them.
Then click on the Start scanning button.
If a threat is found you can click on the Action column in the program.
Your options will be Cure or Ignore
If you see an item that you are absolutely sure is OK, then un-check the check box for that item, otherwise keep it on Cure.
Then click on the Neutralize button.
Once completed click on the green Open Report link. It will open the report in NOTEPAD
Save the report to your desktop. The report will be called Cureit.log
Close Dr.Web Cureit!
Reboot your computer to allow files that were in use to be moved/deleted during reboot.
After reboot, attach the log Cureit.log you saved previously in your next reply.
Re-Enable your antivirus and other security programs when all done.

Link to post
Share on other sites

Thanks for the log, what is the current status of your system, any remaining issues or concerns. If none run the following to clean up:

 

Download "Delfix by Xplode" and save it to your desktop.

 

Or use the following if first link is down:

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 


    Activate UAC
    Remove disinfection tools
    Create registry backup
    Purge System Restore
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Let me know if we can close out...

 

Kevin..

Link to post
Share on other sites

Well, my system appears to be back to normal.   Old and slow. 

Can't thank you enough for all the help!  One thing just as an fyi....I read that information on the Poweliks virus and evidently they have found another way to infect pc's.....as I haven't opened or received a word document on this computer in ages.  Have no idea how I managed to get infected.

Once again, thank you for all your assistance.   I will definitely be making a donation to the "cause".  

You can close this out.   If anything else comes up I will open a new thread.

 

Paul

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.