Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware infection: unknown but suspect sysWOW64


  • Please log in to reply
3 replies to this topic

#1 msichmeller

msichmeller

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 08 January 2015 - 02:38 PM

My system spins up multiple instances of processes such as dllhost.ext, systray.exe, dvdupgrd.exe, etc. These consume a huge amount of CPU and RAM resources. They mosly only run when connected to the internet. Their file location is C\Windows\sysWOW64 (I'm running a 64bit version of Windows 7).  I also see a variety of malware attempts caught by my antivirus (avast) -- identified as websites tarteting Internet Explorer (even when it isn't open). I've tried antivirus/malware scans with avast and a few other free programs (malwarebytes, panda). I'm currently just running avast and a zonealarm firewall. I have an upgrade for Windows 8.1 but haven't wanted to do that until these issues are resolved (unless that would resolve them). This is a new computer (about 3 weeks old). So far I only have a few games on it including some Skyrim mods -- just a few common ones though, nothing obscure. The problem only started a few days ago though, well after the games and mods were installed. I suspect something got through zonealarm/avast while I was browsing the web. Thank you in advance for any help!

Edit: Topic moved from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum.~ Animal

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:08 PM

Posted 08 January 2015 - 06:25 PM

Welcome aboard p22002758.gif

 

Please download Powelikscleaner (by ESET) and save it to your Desktop.

1. Double-click on ESETPoweliksCleaner.exe to start the tool.

2. Read the terms of the End-user license agreement and click Agree.

3. The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.

newtool1_zpsa1caa06e.png

4. If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.

newtool2_zps0e6d39b1.png

The tool will produce a log in the same directory the tool was run from.

Please copy and paste the log in your next reply.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 msichmeller

msichmeller
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 08 January 2015 - 11:58 PM

I ran the program as instructed and my computer seems to behaving as it should now =) Here is the log file from ESET. Thank you very much!

 

[2015.01.08 22:53:53.942] - Begin
[2015.01.08 22:53:53.942] -
[2015.01.08 22:53:53.942] -     ....................................
[2015.01.08 22:53:53.943] -   ..::::::::::::::::::....................
[2015.01.08 22:53:53.943] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Poweliks
[2015.01.08 22:53:53.945] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 1.0.0.1
[2015.01.08 22:53:53.945] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: Oct 15 2014
[2015.01.08 22:53:53.946] -  .::EE:::::::::::::SS:.EE..........TT......
[2015.01.08 22:53:53.947] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2015.01.08 22:53:53.947] -   ..::::::::::::::::::....................    1992-2013. All rights reserved.
[2015.01.08 22:53:53.947] -     ....................................
[2015.01.08 22:53:53.947] -
[2015.01.08 22:53:53.947] - --------------------------------------------------------------------------------
[2015.01.08 22:53:53.948] -
[2015.01.08 22:53:53.948] - INFO: OS: 6.1.7601 SP1
[2015.01.08 22:53:53.948] - INFO: Product Type: Workstation
[2015.01.08 22:53:53.948] - INFO: WoW64: True
[2015.01.08 22:53:53.949] - INFO: Machine guid: 1690E88B-8CC7-4008-8DBA-8E2483652AD8
[2015.01.08 22:53:53.949] -
[2015.01.08 22:53:56.787] - INFO: Scanning for system infection...
[2015.01.08 22:53:56.787] - --------------------------------------------------------------------------------
[2015.01.08 22:53:56.787] -
[2015.01.08 22:53:56.787] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.01.08 22:53:56.788] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.01.08 22:53:56.788] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.01.08 22:53:56.788] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.01.08 22:53:56.788] - INFO: Processing classes...
[2015.01.08 22:53:56.789] - INFO: Processing clsid [\Registry\User\S-1-5-21-1740316678-711221479-1057055317-1000\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2015.01.08 22:53:56.789] - WARNING: Found suspicous classid [\Registry\User\S-1-5-21-1740316678-711221479-1057055317-1000\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2015.01.08 22:53:56.789] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.08 22:53:56.790] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.08 22:53:56.790] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.08 22:53:56.790] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.08 22:53:56.790] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.08 22:53:56.790] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.08 22:53:56.790] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.08 22:53:56.790] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.08 22:53:56.790] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.08 22:53:56.790] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2015.01.08 22:53:56.791] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.01.08 22:53:56.792] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.01.08 22:53:56.792] - INFO: Win32/Poweliks found
[2015.01.08 22:54:04.593] - INFO: process: dllhost.exe, pid 3444, parent 3232
[2015.01.08 22:54:10.006] - INFO: Terminated process pid = 3444
[2015.01.08 22:54:10.007] - INFO: process: dllhost.exe, pid 5548, parent 3444
[2015.01.08 22:54:10.007] - INFO: Terminated process pid = 5548
[2015.01.08 22:54:10.007] - INFO: process: dllhost.exe, pid 2952, parent 5548
[2015.01.08 22:54:10.007] - INFO: Terminated process pid = 2952
[2015.01.08 22:54:10.007] - INFO: process: dllhost.exe, pid 13528, parent 5548
[2015.01.08 22:54:10.008] - INFO: Terminated process pid = 13528
[2015.01.08 22:54:10.008] - INFO: process: dllhost.exe, pid 15160, parent 484
[2015.01.08 22:54:10.008] - INFO: Terminated process pid = 15160
[2015.01.08 22:54:10.008] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.01.08 22:54:10.009] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.01.08 22:54:10.009] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.01.08 22:54:10.009] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.01.08 22:54:10.009] - INFO: Processing classes...
[2015.01.08 22:54:10.010] - INFO: Processing clsid [\Registry\User\S-1-5-21-1740316678-711221479-1057055317-1000\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2015.01.08 22:54:10.010] - INFO: Deleted classid [\Registry\User\S-1-5-21-1740316678-711221479-1057055317-1000\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2015.01.08 22:54:10.010] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.08 22:54:10.010] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.08 22:54:10.010] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.08 22:54:10.010] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.08 22:54:10.010] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.08 22:54:10.010] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.08 22:54:10.011] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.08 22:54:10.011] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.08 22:54:10.011] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.08 22:54:10.011] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2015.01.08 22:54:10.011] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.01.08 22:54:10.011] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.01.08 22:54:10.011] - INFO: Cleaning status: 0
[2015.01.08 22:54:18.682] - End



#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:08 PM

Posted 09 January 2015 - 06:33 PM

Very good :)

 

Let's run couple more scans to make sure your computer is totally clean.

 

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
  • List Restore Points

Click Go and post the result.

p22002970.gif Please download Malwarebytes Anti-Malware (MBAM) to your desktop.
NOTE. If you already have MBAM 2.0 installed scroll down.

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.



If you already have MBAM 2.0 installed:

  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


How to get logs:
(Export log to save as txt)


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.



(Copy to clipboard for pasting into forum replies or tickets)

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.


p22002970.gifDownload 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"


NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.

p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.
Do NOT use spoilers.
Do NOT edit your reply to post additional logs. Create new reply. I'll not get any email notifications about edits so I won't know you posted something new.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users