Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

avenger.txt and dllhost.exe infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 HyperXTM

HyperXTM

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 22 September 2014 - 03:31 PM

Hello,
 

Got an infected computer (Windows XP SP3), Malwarebytes found multiple items and removed them, but the computer is still not usable, C:\ drive will be out of space quickly, filled by text file "avenger.txt".
CPU is bogged down by multiple "dllhost.exe" processes.
I can get some breathing room by running “taskkill /f /im dllhost.exe” from the command line.

How can I track this virus/rootkit and remove it?
 

Thank you for all the help!!!

 

DDS.txt log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.67.2
Run by TCiarlone at 15:24:35 on 2014-09-22
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3317.2399 [GMT -5:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {1D12A864-AFAE-40E6-885F-171E4D736BAF}
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {11DB9795-C43C-4F68-8105-2D9F0F80BAD1}
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {F6B8B6C3-1905-4B3B-9866-EF5BC44399C5}
.
============== Running Processes ================
.
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IDT\WDM\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwisam.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Documents and Settings\TCiarlone\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\IBM\Lotus\Notes\nsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\TCiarlone\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Documents and Settings\TCiarlone\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwida.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\IBM\Lotus\Notes\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081124-2154\soffice.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\ping.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [AESTFltr] c:\windows\system32\AESTFltr.exe /NoDlg
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"
mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN
mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"
mRun: [Client Access PC5250 Sound] "c:\program files\ibm\client access\emulator\pcssnd.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [CnwiDeviceAgent] c:\program files\canon\imageprografstatusmonitor\cnwida.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SODCPreLoad] c:\program files\ibm\lotus\notes\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081124-2154\preload.exe c:\progra~1\ibm\lotus\notes\data\worksp~1\.sodc\
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_9_900_117_ActiveX.exe -update activex
StartupFolder: c:\docume~1\tciarl~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\tciarlone\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagep~1.lnk - c:\program files\canon\imageprografstatusmonitor\cnwism.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - c:\tn.cmd
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://10.195.0.120:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://10.195.0.120:4343/officescan/console/html/root/AtxEnc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1338171088699
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1338171159949
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{A39835DB-893E-4853-B1B2-753EB28F2301} : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{C8681933-889B-4384-9BD5-D0FE20D0843A} : DHCPNameServer = 209.18.47.61 209.18.47.62
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\37.0.2062.120\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 10.195.0.4 usbedo01
Hosts: 10.195.0.4 usbesv04
Hosts: 10.195.0.5 usbesv02
Hosts: 10.195.0.5 notes/Belvedere/us
Hosts: 10.195.0.6 usbesv03
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2012-5-27 17904]
R1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [2012-6-4 87064]
R2 Canon imagePROGRAF Status Monitor;Canon imagePROGRAF Status Monitor;c:\program files\canon\imageprografstatusmonitor\cnwisam.exe -service --> c:\program files\canon\imageprografstatusmonitor\cnwisam.exe -service [?]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2011-1-26 826272]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2011-1-26 32160]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2012-5-27 13336]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2014-4-16 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2013-12-11 13624]
R2 LMIRescue_db390dbf-90ce-4baa-9385-fdca157846a9;LogMeIn Rescue (db390dbf-90ce-4baa-9385-fdca157846a9);c:\documents and settings\tciarlone\local settings\application data\logmein rescue applet\lmir0001.tmp\LMI_Rescue_srv.exe [2014-9-22 3079488]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2014-4-25 47640]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\ibm\lotus\notes\nsd.exe [2008-12-6 3315080]
R2 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\sonicwall\sonicwall global vpn client\SWGVCSvc.exe [2009-3-5 227352]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2012-5-28 61200]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2011-7-12 263968]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2011-7-12 36128]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2012-5-28 1737200]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\accelern.sys [2012-5-27 44144]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2012-5-27 113664]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2012-5-27 33832]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2012-5-28 11496]
R3 NETwNx32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [2012-5-27 7391744]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-11-19 62208]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-11-19 141568]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\o2mdrxp.sys [2012-5-27 61728]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjxp.sys [2012-5-27 63976]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2013-12-11 13408]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2010-1-7 689416]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys --> c:\windows\system32\drivers\rcvpn.sys [?]
S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [2009-3-4 21016]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile=c:\windows\system32\notepad.exe "%1"
.
=============== Created Last 30 ================
.
2014-09-22 20:07:47 52440 ----a-w- c:\windows\system32\drivers\gkpo.sys
2014-09-18 16:17:55 -------- d-----w- c:\documents and settings\tciarlone\application data\smkits
2014-09-18 15:21:23 129 ----a-w- C:\tn.cmd
2014-09-18 13:02:17 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2014-09-17 19:05:14 -------- d-----w- c:\program files\ESET
2014-09-17 15:50:36 -------- d-----w- c:\documents and settings\all users\application data\NoVirusThanks
2014-09-17 14:03:39 -------- d-----w- c:\windows\ERUNT
2014-09-17 13:52:00 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-09-17 13:49:50 -------- d-----w- C:\AdwCleaner
2014-09-15 17:04:39 -------- d-----w- c:\windows\pss
2014-09-13 02:54:44 -------- d-----w- c:\documents and settings\tciarlone\local settings\application data\GHISLER
2014-09-13 02:46:12 545 ----a-w- c:\windows\UC.PIF
2014-09-13 02:46:12 545 ----a-w- c:\windows\RAR.PIF
2014-09-13 02:46:12 545 ----a-w- c:\windows\PKZIP.PIF
2014-09-13 02:46:12 545 ----a-w- c:\windows\PKUNZIP.PIF
2014-09-13 02:46:12 545 ----a-w- c:\windows\LHA.PIF
2014-09-13 02:46:12 545 ----a-w- c:\windows\ARJ.PIF
2014-09-13 02:46:11 -------- d-----w- C:\totalcmd
2014-09-13 02:46:11 -------- d-----w- c:\documents and settings\tciarlone\application data\GHISLER
2014-09-12 19:57:08 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-12 19:56:43 54232 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-12 19:56:43 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-12 19:56:43 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-09-12 19:56:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2014-09-12 19:29:28 -------- d-----w- c:\documents and settings\tciarlone\local settings\application data\LogMeIn Rescue Applet
2014-09-02 14:24:20 181272 ----a-w- c:\windows\RegBootClean.exe
2014-09-02 14:22:45 18944 ----a-w- c:\program files\internet explorer\version1.dll
.
==================== Find3M  ====================
.
2014-08-11 13:46:06 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-08-11 13:46:04 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-07-19 13:17:38 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2014-07-19 13:17:38 53064 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2014-07-19 13:17:36 85832 ----a-w- c:\windows\system32\LMIinit.dll
2014-07-19 13:17:36 31560 ----a-w- c:\windows\system32\LMIport.dll
.
============= FINISH: 15:25:42.43 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,783 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 24 September 2014 - 02:33 PM

Hello HyperXTM and Welcome to the BleepingComputer. :welcome:  

 

My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.
 

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.

 

  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks

---------------------------------------------------------------------------------------------------------

 

Are you still with us?

 

:hello:

 

Sincerely


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 HyperXTM

HyperXTM
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 24 September 2014 - 04:12 PM

Hello Yılmaz,

 

Thank you for your relpy. however I was able to remove the infection. It was a nasty tricky 'Poweliks'.

How do I close this thread?

 

Thanks!



#4 olgun52

olgun52

  • Malware Response Team
  • 3,783 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 24 September 2014 - 04:29 PM

Are you sure? Because it is a virus difficult Poweliks


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 HyperXTM

HyperXTM
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 24 September 2014 - 04:41 PM

I'm not sure, what do you recommend?

#6 olgun52

olgun52

  • Malware Response Team
  • 3,783 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 25 September 2014 - 08:10 AM

I'm not sure, what do you recommend?

 

OK.

 

------------------

 

Please do the following

 

Step 1:

 

Please go to: VirusTotal
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.
 
c:\windows\system32\drivers\gkpo.sys

c:\windows\RAR.PIF
 
Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.

 

Step 2:

 

Please be sure to run our tools with administrator rights.

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 

Have a nice day.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 olgun52

olgun52

  • Malware Response Team
  • 3,783 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 28 September 2014 - 06:56 AM

Hello

 

3 Day Bump

It has been more than 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 olgun52

olgun52

  • Malware Response Team
  • 3,783 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 30 September 2014 - 05:57 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users