Another Powelik problem

[wheelblur]

I have been battling this for a week or two and can't take it any more.  Com Surrogate gone wild.

 

N-360 keeps trapping the attack and I've run MBAM using the PUP, PUM settings. It trapped a program that I thought was reliable (MP3Tag.exe)

 

If possible, please review FRST files for a creation of a fixlist.  Thank you for all your help.

Addition.txt

FRST.txt

[MrCharlie]

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then...........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[wheelblur]

Thanks for the fast response.  How do I completely shut-down N-360 so that ComboFix can run?

[MrCharlie]

Run it in safe mode, MrC

[wheelblur]

Thanks.  See attached. Let me know if there are additional steps.

ComboFix.txt

Fixlog.txt

[MrCharlie]

Please download AdwCleaner from HERE or HERE to your desktop.

• Double click on AdwCleaner.exe to run the tool.

  Vista/Windows 7/8 users right-click and select Run As Administrator

• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted:
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

Next..................

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Next.........

Please run a Threat Scan (Malwarebytes)

Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine All that's found

MrC

[wheelblur]

Attached are the ADW log and JRT log.  Last MBAM did not quarantine anything. 

 

Still seeing multiple COM Surrogate processes running in Task Manager.  Any other steps or final advice?  Many thanks.

JRT.txt

AdwCleanerS0.txt

[MrCharlie]

Re-scan with FRST and Make sure the Addition Box is checked.

Post or attach the 2 logs FRST(64).txt and Addition.txt

Re-scan with RogueKiller (download a fresh copy) and post the log

MrC

[wheelblur]

Should I run each in Safe Mode?

[MrCharlie]

Regular mode if you can, MrC

[wheelblur]

See attached. I was able to run FRST in normal mode, but RogueKiller generated BSOD.  Log is from safe mode.

RKreport_SCN_10292014_190351.log

Addition.txt

FRST.txt

[MrCharlie]

The logs are clean, no more Poweliks.

 

MrC

[wheelblur]

Great news.  One last question, should I delete the Registry items flagged by RogueKiller?

[MrCharlie]

No. don't do that. No need to.

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get Unsupported operating system. Aborting now, just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• Do Not Attach It!!!

MrC

[wheelblur]

Bad news. I'm still getting powelik attacks blocked by N360 and MBAM.  dlhost.ext/Com Surrogate is swamping the system.  

 

Do I need to run the procedure for each user profile?

[MrCharlie]

Re-scan with FRST and Make sure the Addition Box is checked.

Post or attach the 2 logs FRST(64).txt and Addition.txt

Re-scan with RogueKiller and post the log

MrC

[wheelblur]

See attached, the FSRT logs. below is the RougeKiller log. These were run from another user profile on the infected machine. RogueKiller found a series of RootKit issues.  I have not taken any action
(delete) in RogueKiller, yet.  Shoudl I?

 

Thanks for your continued help.

 

 

RogueKiller V10.0.4.0 (x64) [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Safe mode with network support
User : wwright [Administrator]
Mode : Scan -- Date : 11/01/2014  11:38:11

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 22 ¤¤¤
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD (\SystemRoot\system32\drivers\afd.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3206095894-3191672298-2259672374-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://my.earthlink.net/  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3206095894-3191672298-2259672374-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://my.earthlink.net/  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1849FF9D-ADB8-472E-91C5-2A3487616946} | DhcpNameServer : 68.28.82.91 68.28.68.132 [uNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E3C28006-86D8-4748-82D5-799152358708} | DhcpNameServer : 198.224.183.135 198.224.182.135 [uNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1849FF9D-ADB8-472E-91C5-2A3487616946} | DhcpNameServer : 68.28.82.91 68.28.68.132 [uNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E3C28006-86D8-4748-82D5-799152358708} | DhcpNameServer : 198.224.183.135 198.224.182.135 [uNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1849FF9D-ADB8-472E-91C5-2A3487616946} | DhcpNameServer : 68.28.82.91 68.28.68.132 [uNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{E3C28006-86D8-4748-82D5-799152358708} | DhcpNameServer : 198.224.183.135 198.224.182.135 [uNITED STATES (US)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-3206095894-3191672298-2259672374-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 43 (Driver: Not loaded [0xc000035f]) ¤¤¤
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipFillRectangle : C:\Windows\system32\DUser.dll @ 0x7fefc4d9644
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipAlloc : C:\Windows\system32\DUser.dll @ 0x7fefc4d96d8
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipCreateFromHDC : C:\Windows\system32\DUser.dll @ 0x7fefc4d96f4
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipSetClipRect : C:\Windows\system32\DUser.dll @ 0x7fefc4d9710
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipDeleteGraphics : C:\Windows\system32\DUser.dll @ 0x7fefc4d972c
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipFree : C:\Windows\system32\DUser.dll @ 0x7fefc4d9748
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipCreateRegion : C:\Windows\system32\DUser.dll @ 0x7fefc4d9764
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipGetClip : C:\Windows\system32\DUser.dll @ 0x7fefc4d9780
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipIsClipEmpty : C:\Windows\system32\DUser.dll @ 0x7fefc4d979c
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipSetClipRegion : C:\Windows\system32\DUser.dll @ 0x7fefc4d97b8
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipDeleteRegion : C:\Windows\system32\DUser.dll @ 0x7fefc4d97d4
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipDeletePen : C:\Windows\system32\DUser.dll @ 0x7fefc4d97f0
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipCreateSolidFill : C:\Windows\system32\DUser.dll @ 0x7fefc4d980c
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipDeleteBrush : C:\Windows\system32\DUser.dll @ 0x7fefc4d9828
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipCloneBrush : C:\Windows\system32\DUser.dll @ 0x7fefc4d9844
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipCreatePen1 : C:\Windows\system32\DUser.dll @ 0x7fefc4d9860
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdiplusStartup : C:\Windows\system32\DUser.dll @ 0x7fefc4d987c
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdiplusShutdown : C:\Windows\system32\DUser.dll @ 0x7fefc4d9898
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipSetSmoothingMode : C:\Windows\system32\DUser.dll @ 0x7fefc4d98b4
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipSetPixelOffsetMode : C:\Windows\system32\DUser.dll @ 0x7fefc4d98d0
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipSetCompositingQuality : C:\Windows\system32\DUser.dll @ 0x7fefc4d98ec
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipResetWorldTransform : C:\Windows\system32\DUser.dll @ 0x7fefc4d9908
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipCreateMatrix2 : C:\Windows\system32\DUser.dll @ 0x7fefc4d9924
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipDeleteMatrix : C:\Windows\system32\DUser.dll @ 0x7fefc4d9940
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipSetWorldTransform : C:\Windows\system32\DUser.dll @ 0x7fefc4d995c
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipSaveGraphics : C:\Windows\system32\DUser.dll @ 0x7fefc4d9978
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipRestoreGraphics : C:\Windows\system32\DUser.dll @ 0x7fefc4d9994
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipCreateMatrix : C:\Windows\system32\DUser.dll @ 0x7fefc4d99b0
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipSetCompositingMode : C:\Windows\system32\DUser.dll @ 0x7fefc4d99cc
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipGetCompositingMode : C:\Windows\system32\DUser.dll @ 0x7fefc4d99e8
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipGetCompositingQuality : C:\Windows\system32\DUser.dll @ 0x7fefc4d9a04
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipSetInterpolationMode : C:\Windows\system32\DUser.dll @ 0x7fefc4d9a20
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipGetInterpolationMode : C:\Windows\system32\DUser.dll @ 0x7fefc4d9a3c
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipGetSmoothingMode : C:\Windows\system32\DUser.dll @ 0x7fefc4d9a58
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipGetPixelOffsetMode : C:\Windows\system32\DUser.dll @ 0x7fefc4d9a74
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipSetTextContrast : C:\Windows\system32\DUser.dll @ 0x7fefc4d9a90
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipGetTextContrast : C:\Windows\system32\DUser.dll @ 0x7fefc4d9aac
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipSetTextRenderingHint : C:\Windows\system32\DUser.dll @ 0x7fefc4d9ac8
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipGetTextRenderingHint : C:\Windows\system32\DUser.dll @ 0x7fefc4d9ae4
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipGetWorldTransform : C:\Windows\system32\DUser.dll @ 0x7fefc4d9b00
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipTranslateRegionI : C:\Windows\system32\DUser.dll @ 0x7fefc4d9b1c
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipGetDC : C:\Windows\system32\DUser.dll @ 0x7fefc4d9b38
[iAT:Addr] (explorer.exe @ WINTRUST.dll) gdiplus.dll - GdipReleaseDC : C:\Windows\system32\DUser.dll @ 0x7fefc4d9b54

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 8d644e7c5c693d755a3000c51ed4ca8b
[bSP] 063a62e71de78b17a7f8e6de72a5b79e : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1:  +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2:  +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3:  +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4:  +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_DEL_10292014_203617.log - RKreport_DEL_10292014_203632.log - RKreport_SCN_10292014_190351.log - RKreport_SCN_10292014_203838.log

Addition.txt

FRST.txt

[MrCharlie]

Not everything that RogueKiller finds is bad.

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest in other tabs: (if found)

 

[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-3206095894-3191672298-2259672374-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Found

Now click Delete on the right hand column under Options

================================

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

================================

Download and run a fresh copy of ComboFix

================================

Clean out temp files:

Download TFC from here and save it to your desktop.

http://oldtimer.geekstogo.com/TFC.exe

http://www.bleepingcomputer.com/download/tfc/dl/92/

Close any open programs and Internet browsers.

Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.

Please be patient as clearing out temp files may take a while.

Once it completes you may be prompted to restart your computer, please do so.

Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

MrC

[wheelblur]

Latest FRST fixlog.  fingers crossed.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-11-2014

Ran by wwright at 2014-11-02 10:21:55 Run:2

Running from C:\Users\wwright\Desktop\Temp\FRST-OlderVersion

Loaded Profile: wwright (Available profiles: admin & wwright & ewright)

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

CustomCLSID: HKU\S-1-5-21-3206095894-3191672298-2259672374-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\wwright\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File

CustomCLSID: HKU\S-1-5-21-3206095894-3191672298-2259672374-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\wwright\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File

CustomCLSID: HKU\S-1-5-21-3206095894-3191672298-2259672374-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\wwright\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File

CustomCLSID: HKU\S-1-5-21-3206095894-3191672298-2259672374-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\wwright\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File

CustomCLSID: HKU\S-1-5-21-3206095894-3191672298-2259672374-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?

C:\Users\admin\AppData\Local\temp\dllnt_dump.dll

C:\Users\admin\AppData\Local\temp\Quarantine.exe

C:\Users\admin\AppData\Local\temp\sqlite3.dll

HKU\S-1-5-21-3206095894-3191672298-2259672374-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!

*****************

 

"HKU\S-1-5-21-3206095894-3191672298-2259672374-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => Key deleted successfully.

"HKU\S-1-5-21-3206095894-3191672298-2259672374-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}" => Key deleted successfully.

"HKU\S-1-5-21-3206095894-3191672298-2259672374-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => Key deleted successfully.

"HKU\S-1-5-21-3206095894-3191672298-2259672374-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}" => Key deleted successfully.

"HKU\S-1-5-21-3206095894-3191672298-2259672374-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.

C:\Users\admin\AppData\Local\temp\dllnt_dump.dll => Moved successfully.

C:\Users\admin\AppData\Local\temp\Quarantine.exe => Moved successfully.

C:\Users\admin\AppData\Local\temp\sqlite3.dll => Moved successfully.

"HKU\S-1-5-21-3206095894-3191672298-2259672374-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key not found.

"HKU\S-1-5-21-3206095894-3191672298-2259672374-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.

 

==== End of Fixlog ====

[MrCharlie]

Did you run ComboFix and TFC????

 

Logs, MrC

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!