Trojan.Poweliks!gm

[fr8pil8]

Norton 360 first identified this infection on Nov 6 and has "removed the infection" two or three times a day since.  Unfortunately, their removal doesn't work.  I am experiencing the multiple dllhost.exe processes.  At one point today, one of them was using in excess of 900,000 K of memory, with two others above 400,000 K.  Memory usage was above 95% for several minutes.  Malwarebytes has not reported it.  I am using Vista 32.  After researching this topic I can see that I need help from a pro...

[MrCharlie]

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

 

<====><====><====><====><====><====><====><====>

 

1. Please run a Threat Scan with Malwarebytes (if possible)

Start Malwarebytes 2.0.........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

2. Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button. (make sure the Addition box is checked)
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

New window that comes up.

Last................

3. Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button > Copy and paste the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

[fr8pil8]

Hey Mr. C...I was hoping I wouldn't have to seek your help again, at least not so soon.  I'll run your list.

[fr8pil8]

Got Malwarebytes started and received a malicious website blocked msg, Domain:  ff5ee.com.  Don't know if this is part of the problem?

[fr8pil8]

"ff5ee.com" .............guess that's ffsee.com

[fr8pil8]

Running in Normal windows mode the Threat scan that normally takes about 30 minutes ran a whopping 3+20.  Nothing was found.  As a side note, the PUM.BadProxy that you and I tried to get rid of several months ago is an exclusion to the scan.  I included the protection log for today along with the Threat scan.  I'll get right to work on your other instructions.

11Nov Scan2.txt

MBThreatScan11-12.txt

[MrCharlie]

Please do this:

Download, update and run Malwarebytes Anti-Rookit:

https://malwarebytes.app.box.com/s/xiaxsbl4cjdyyqx5wp8q 

Run it as Administrator! (right click..run as administrator)

Note: If you have Malwarebytes Pro it must disabled to run MBAR

Right click on the Malwarebytes icon in the system tray and un-check

"Start with Windows" Re-boot and run MBAR

Don't forget to re-enable it when done.

=====================

Then............

Download and run this tool on every user:

http://kb.eset.com/esetkb/index?page=content&id=SOLN3587 <---Poweliks

Last.......

Please re-scan with FRST and Make sure the Addition Box is checked.

Post or attach the 2 logs FRST(64).txt and Addition.txt

MrC

[fr8pil8]

Are these in lieu of RogueKiller and Farbar, or would you like those also?

[fr8pil8]

Disregard the last msg...tried to downlod FRST from your link and got a "you can't do that" boxed msg:  C:\Users\....\Downloads\FRST.exe is not a valid Win32 application.  Then I found the original link to FRST32 on the Bleepingcomputer site and got the same message.  I think this malware is driving this message.  I know it won't let me run CCleaner nor will it let me use windows system restore.  I'll try again in safe mode and see if that makes a difference.

[fr8pil8]

That did the trick, although the malware still affects the computer (1,500,000K in dllhost items)  The scan hung up when it was trying to look at restore points.  After 5 min I tried to shut the program down, but somehow that got it to continue.  Here are the logs...

Addition_12-11-2014_20-20-58.txt

FRST_12-11-2014_20-21-06.txt

[fr8pil8]

 

 

RogueKiller V10.0.5.0 [Nov 11 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Safe mode with network support

User : Al & Mindy [Administrator]

Mode : Scan -- Date : 11/12/2014  20:39:34

 

¤¤¤ Processes : 2 ¤¤¤

[Tr.Poweliks] dllhost.exe -- [x] -> Killed [TermProc]

[Tr.Poweliks] dllhost.exe -- C:\Windows\system32\dllhost.exe[7] -> Killed [TermThr]

 

¤¤¤ Registry : 28 ¤¤¤

[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD (\SystemRoot\system32\drivers\afd.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\catchme (\??\C:\Users\AL&MIN~1\AppData\Local\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SessionLauncher (C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe) -> Found

[PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555  -> Found

[PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555  -> Found

[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found

[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found

[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found

[PUM.SearchPage] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found

[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)]  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)]  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0339F91D-C799-4867-915D-12085C363670} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)]  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 2  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 2  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> Found

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_CFCE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_E_CFCE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

[Tr.Poweliks] HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Found

 

¤¤¤ Tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ Hosts File : 1 ¤¤¤

[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

 

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0:  +++++

--- User ---

[MBR] aba52d45b8e1f2adf216397c6e932b8c

[bSP] 15aa431f21a280c81d2601e5a5773708 : HP MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 MB

1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 129024 | Size: 15360 MB

2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31586304 | Size: 525312 MB

3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1107425280 | Size: 174666 MB

User = LL1 ... OK

Error reading LL2 MBR! ([57] The parameter is incorrect. )

 

+++++ PhysicalDrive1:  +++++

--- User ---

[MBR] 15185c225eb6fb0a3de71f124a83710c

[bSP] adb3bbbedcdedb86cfcfedec2cb79c0a : Empty MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB

User = LL1 ... OK

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive2:  +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive3:  +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive4:  +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive5:  +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

 

============================================

RKreport_DEL_07082014_161306.log - RKreport_DEL_07082014_161932.log - RKreport_DEL_07082014_171247.log - RKreport_DEL_07112014_205900.log

RKreport_SCN_07062014_124132.log - RKreport_SCN_07082014_135217.log - RKreport_SCN_07082014_155330.log - RKreport_SCN_07082014_161843.log

RKreport_SCN_07082014_170715.log - RKreport_SCN_07082014_173605.log - RKreport_SCN_07092014_171156.log - RKreport_SCN_07112014_103613.log

RKreport_SCN_07112014_205735.log

[fr8pil8]

When I hit the reports button this web page came up also:  http://www.adlice.com/poweliks-removal-with-roguekiller/

 

I didn't follow the advice given as I'm going to stick with your analysis and see if we can lick this thing;  however, I didn't know if you had seen this linkl

 

 

tigzy Post author

10/24/2014 at 12 h 20 min

The process is the following:
– Scan with RogueKiller (do not close at the end!)
– Kill all dllhost processes
– Remove with RogueKiller
– Reboot immediately.

Some forum thread that may help: http://forum.adlice.com/index.php?topic=215.0

[fr8pil8]

Ran MBAR...it found two infections in the Registry and the final step (CLEAN, I believe it said) seems to have deleted the problem files.  Next ran ESET...it found no problems.  Lastly, reran FRST and have attached the files.  One thing to note here, I use Norton 360 Antivirus.  The first time I ran FRST this morning there was no conflict.  Tonight Norton's Sonar sensor sent the FRST.exe file to quarantine when I tried to run the program.  I forced a Restore, turned off Norton and ran FRST.  

 

Seems like things are back to normal.  I'll recheck in the a.m. and get back to you.

 

Thanks

Addition.txt

FRST.txt

[MrCharlie]

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

===========================

Please download AdwCleaner from HERE or HERE to your desktop.

• Double click on AdwCleaner.exe to run the tool.

  Vista/Windows 7/8 users right-click and select Run As Administrator

• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted:
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

Next..................

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Next.........

Please Update and run a Threat Scan (Malwarebytes)

Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine All that's found

MrC

[fr8pil8]

# AdwCleaner v4.101 - Report created 13/11/2014 at 10:58:15

# Updated 09/11/2014 by Xplode

# Database : 2014-11-12.2 [Live]

# Operating System : Windows Vista Ultimate Service Pack 2 (32 bits)

# Username : Al & Mindy - RUSTRANCH

# Running from : C:\Users\Al & Mindy\Desktop\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Scheduled Tasks ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.7

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Coupon Printer for Windows5.0.0.7

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v9.0.8112.16584

 

 

-\\ Mozilla Firefox v33.1 (x86 en-US)

 

 

-\\ Google Chrome v38.0.2125.111

 

 

*************************

 

AdwCleaner[R0].txt - [1159 octets] - [13/11/2014 10:50:18]

AdwCleaner[s0].txt - [1086 octets] - [13/11/2014 10:58:15]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1146 octets] ##########

[fr8pil8]

Ran JRT twice, but neither run generated a log.  Redownloaded JRT and ran it again with the same result--no log.  In all three runs neither the "Registry B/U" check nor the "Start-up" showed any result except:  "cannot find the specified path".  Going down the rest of the categories the program closed after it had spent a minute or so checking the "Registry" category.

 

Threat scan showed no problems.  The multiple dlls have not shown up so far today.  It's interesting, though, that Norton360 was still advising me this morning that it was detecting the malware

[MrCharlie]

Norton360 was still advising me this morning that it was detecting the malware

Like what??? Give me an example...logs etc.

MrC

[fr8pil8]

Cant' get a text file except in binary form.  I can't open .mcf files, but I tried to attach Norton's Quarantine Log in that format. Unfortunately, I get an error msg: "you aren't permitted to upload this kind of file".

 

 Essentially, the log shows that Trojan.Poweliks!gm was detected by their Auto-Detect mode and was Quarantined FOUR times today (45 times yesterday).

 

The file names today were:  00017421.tmp.xbad  

                                            00012316.tmp.xbad

                                            00017035.tmp

                                            00024370.tmp 

 

 

 

 

 

[fr8pil8]

More tinkering and found a way to get the info to the clipboard:

 

Filename: 00017421.tmp.xbad

Threat name: Trojan.Poweliks!gm

Full Path: c:\frst\quarantine\c\windows\system32\00017421.tmp.xbad

 

____________________________

 

 

 

Details

Unknown Community Usage,  Unknown Age,  Risk High

 

 

 

 

 

Origin

Downloaded from

 Unknown

 

 

 

 

 

Activity

Actions performed: 98

 

 

 

____________________________

 

 

 

On computers as of 

Not Available

 

 

Last Used 

11/13/2014 at 11:33:29 AM

 

 

Startup Item 

No

 

 

Launched 

No

 

 

____________________________

 

 

Unknown

It is unknown how many users in the Norton Community have used this file.

 

Unknown

This file release is currently not known.

 

High

This file risk is high.

 

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.

 

 

 

____________________________

 

 

 

Source: External Media

 

 

 

____________________________

 

File Actions

 

File: c:\frst\quarantine\c\windows\system32\ 00017421.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00024626.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00009741.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00016118.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00024084.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00008723.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00022929.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00012859.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00016944.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00027644.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00015890.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00014771.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00016827.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00027529.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00032439.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00031101.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00025667.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00025547.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00007711.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00015141.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00027446.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00012623.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00005537.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019629.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00009961.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00029658.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00022648.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00011942.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019895.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00018756.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00026777.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00020037.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00026308.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00031115.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019954.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00017673.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00005829.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00016541.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00022386.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00023811.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019718.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00021538.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00006270.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00031322.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00009894.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00007376.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00006729.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00011840.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00013977.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00032391.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00028253.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00032757.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019072.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00013931.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00030333.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00015350.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00009040.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00023805.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ yhyfaule.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00011323.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00011538.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00012382.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00015573.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019264.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00026299.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00024393.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00019912.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00022190.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00009930.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00028703.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00032662.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00006868.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00015006.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00018716.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00030106.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00026924.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00022704.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00021726.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00031673.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00014604.tmp.xbad Removed

File: c:\frst\quarantine\c\windows\system32\ 00028745.tmp.xbad Removed

____________________________

 

Registry Actions

 

Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1005\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-19\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-20\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed

Registry change: HKEY_USERS\.DEFAULT\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed

Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1005\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed

Registry change: HKEY_USERS\S-1-5-19\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed

Registry change: HKEY_USERS\S-1-5-20\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed

Registry change: HKEY_USERS\.DEFAULT\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed

Registry change: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed

Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1000\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-21-4019566695-2349307630-1478826107-1005\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-19\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed

Registry change: HKEY_USERS\S-1-5-20\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed

Registry change: HKEY_USERS\.DEFAULT\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed

Registry change: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed

____________________________

 

 

File Thumbprint - SHA:

33035762c5d37e4ea67d82d13e8d1e9e23ff8b5c26452d70651da04ca14a3333

File Thumbprint - MD5:

Not available

[MrCharlie]

You're OK.....what it's find are files already quarantined by FRST.

 

If there's no other problems.............

 

Lets check your computers security before you go and we have a little cleanup to do also:

 

Download Security Check by screen317 from HERE or HERE.

Save it to your Desktop.

Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

If you get Unsupported operating system.  Aborting now, just reboot and try again.

A Notepad document should open automatically called checkup.txt.

Please Post the contents of that document.

If you can't post it, attach it

MrC

[fr8pil8]

Working on it MrC...as I was downloading Security Check the computer started acting up (downloads section froze and no other windows would open (not responding).  Then all my icons disappeared from the desktop.  They finally came back a few minutes later and then disappeared again.  My desktop was unresponsive so I shut down the system with the power button.  After restart the computer started a CHKDSK program.  Get the scan done as soon as things get back to normal...soon I hope!

[fr8pil8]

OK, got Security Check going.  It seems to have stopped working although Task Mgr says it's running.  For the last 20 minutes it has been "Performing System Health Check".  Is this normal?  I don't hear the hard drive spinning and CPU use is less than 10%.

[MrCharlie]

Try it in safe mode, MrC

[fr8pil8]

no luck...hangs up at the same place...waited 20 minutes

[MrCharlie]

OK, forget that then.

I looked through the logs and it appears most of your programs are up-to-date.

Just make sure your Flasher Player is the latest version:

Flash Player:
Check for an update if available
Downloads are at the top of the page. (don't install the McAfee toolbar)

Java: I don't see it installed but if you ever do:
Download and install the latest version (Java™ 8 Update 25) from Here. Uncheck the box to install the Ask toolbar!!!, McAfee Security Scan Plus or any other free "stuff".

The rest is OK

==================================

A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<-------)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter. (it may look like CF is re-installing but it's not)
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC