Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Poweliks virus/trojan


  • This topic is locked This topic is locked
22 replies to this topic

#1 steve0000

steve0000

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 09 October 2014 - 07:58 PM

As requested the logs from DDS.

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 steve0000

steve0000
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 09 October 2014 - 08:17 PM

Hello I recently updated my iexplorer and must have contracted both the zeroaccess virus and the poweliks virus. I thought I was successful in removing with the use of malwarebytes, rougekiller v10 and esnet but I still continue to have Mulitiple dllhost*32 process start when I go on the internet.I noticed that my security setting get changed to "custom" and even my task manager is different where I am unable to see any headings or process graphs. I have also noticed that some of my word doc have weird symbols as the begining letters and only have 1 kb values. Any help would be greatly apprieciated as I have hit a wall in trying to remedy this situation

 

Addendum.

So I attempted to go online again it did not do it  but I know it is there I see it trying to intiate processes (e.g. dllhost,dllhost*32,conservice, consent)in the task manger I end up shutting off my wifi and ending them. 



#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:51 AM

Posted 11 October 2014 - 07:52 PM

Please download the appropriate version of Farbar Recovery Scan Tool (FRST.exe) from here:
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ (for 32bit systems)
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ (for 64bit systems)
save it to your desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 steve0000

steve0000
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 12 October 2014 - 10:27 AM

Good morning, I have done what you instructed me to do. I had to run malwarebytes to be able to download it found 8 infected files which i deleted. This scan was ran after that instance so it is the most current.

 

Regards Steve

Attached Files



#5 steve0000

steve0000
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 12 October 2014 - 10:40 AM

Should I press fix Or wait?

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:51 AM

Posted 12 October 2014 - 01:37 PM

Please do the following:

Download attached fixlist.txt file and save it to the Downloads folder as that is where you have FRST64.exe saved.

Attached File  FixList.txt   1.55KB   16 downloads

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 steve0000

steve0000
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 12 October 2014 - 03:25 PM

Here you go I had to shut down my internet connection while doing it. if that is aproblem let me know and I will rescan.

 

Regards Steve

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:51 AM

Posted 13 October 2014 - 10:44 AM

That's looking better,

please run the following:

Refer to the ComboFix User's Guide
  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 steve0000

steve0000
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 13 October 2014 - 12:37 PM

Hello CatByte,

 

I ran Combo fix as requested (see attached log). Post running fix multiple security popups came saying that "Im leaving a secured connection"  and 'others may be able to see your information is this normal? Also it did not reboot but asked me to make Internet expolorer my brower. Is normal or is it the bastard virus trying to claw its way back into my CPU?

 

Regards Steve

Attached Files



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:51 AM

Posted 13 October 2014 - 12:49 PM

yes, that is normal, malware can often change default settings, so the browser is reset to default, just choose whatever browser you wish and make it default.

 

The  "secure setting" notification means the following:

http://ask-leo.com/what_does_leaving_a_secure_internet_connection_mean.html

 

NEXT

 

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.

  • Right-mouse click JRT.exe and select Run as administrator

  • The tool will open and start scanning your system.

  • Please be patient as this can take a while to complete.

  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

  • Post the contents of JRT.txt into your next message

 

NEXT

 

Download AdwCleaner from  here and save it to your desktop.

  • Run AdwCleaner and select Scan

  • If items are found, please select the Clean button

  • Once done it will ask to reboot, allow the reboot

  • On reboot a log will be produced, please attach the content of the log to your next reply


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 steve0000

steve0000
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 13 October 2014 - 01:10 PM

Done and done logs attached

Attached Files



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:51 AM

Posted 13 October 2014 - 01:45 PM

please run Malwarebytes, allow it to update, then remove anything found, reboot the PC and attach the new log.

 

Please advise how the computer is running now and if there are any outstanding issues.


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 steve0000

steve0000
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 13 October 2014 - 02:33 PM

Ran malwarebytes nothing found. Computer is working much better at this time. I attached a png of word documents that have odd symbol what do you make of it is this the virus hiding in these files? Any suggestions( e.g security) regarding not having this happen again would be greatly appreciated.

 

Regards Steve  

Attached Files



#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:51 AM

Posted 13 October 2014 - 05:30 PM

those files are an indication of hidden files in use, so are normal  (your hidden files and folders asre likely showing, you can reset them back to hidden)

 

No amount of security programs can stop everything unfortunately, as long as you have real-time protection (malwarebytes) a good AV and the Windows firewall, and are behind a secure router (beef up the password), then you just need to be careful where you visit, what you click on and what you download.

 

Avoid cracks, keygens and peer to peer, you might want to look into Malwarebytes AntiExploit as well.

 

Please run the following:

 

please run a free online scan with the ESET Online Scanner

 

US Link: http://www.eset.com/us/online-scanner/

EU Link: http://www.eset.eu/online-scanner/

 

Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
  • Click the blue Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
  • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Attach the log as a reply to your next reply..
  • Close the ESET online scan, and let me know how things are now.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 steve0000

steve0000
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 13 October 2014 - 09:08 PM

Well that took a while about 2 hrs and I thought I was free and clear but apparently not.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users