Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sysem Infected: Trojan. Zbot Activity 15


  • Please log in to reply
22 replies to this topic

#1 Beckianne

Beckianne

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:00 AM

Posted 17 January 2015 - 10:40 AM

I have gotten this message several times in the past few days from my Norton Internet Security:

 

An instrusion attempt by c71585.com was blocked. 
IPS Alert Name: Sysem Infected: Trojan. Zbot Activity 15
Default Action:  No Action Required.
Action Taken: No Action Required
Attacking Computer:  c71585.com (31.184.194.6,80)
Attacker URL:  c71585.com/z
Destination Address:  Becky-PC (192.168.1.110,49216)
Source Address:  31.184.194.6 (31.184.194.6)
Traffic Description:  TCP, www-http

Network traffic from c71585.com/z matches the signature of a known attack. 
The attack was resulted from \Device\Harddiskvolume2\Windows\Syswow64\dllhost.exe

 

Also, I've noticed in Task Manager that an instance of a process called dllhost.exe using 40,300K +/- of memory that, when I right-click, I can't open "properties" or "open file location"
Also, instance of csrss.exe that I can't open any right-click options.
Also, instance of winlogon.exe that I can't open any right-click options.  I'm not sure if that's normal or not - I can access all the right click options on all other processes that are running.

 

I run Windows 7 Home Premium on a HP s560310; AMD Sempron 140 Processor 270 GHz on a 64-bit operating system.  I'd love to get rid of this if my system is truly infected.  Many thanks!



BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:00 AM

Posted 17 January 2015 - 11:12 AM

Use the programs below to find and remove adware and malware.

 

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).

  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.

POST THE MBAM LOG FOR REVIEW.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download


  • download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Hold down Control and click on this link to open ESET OnlineScan in a new window. (Eset can take more than an hour to run so plan accordingly)

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 Beckianne

Beckianne
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:00 AM

Posted 17 January 2015 - 01:51 PM

Results of Malwarebytes scan:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/17/2015
Scan Time: 1:23:38 PM
Logfile: MBAM scan results.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.17.04
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Becky

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 382921
Time Elapsed: 19 min, 59 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

#4 Beckianne

Beckianne
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:00 AM

Posted 17 January 2015 - 02:29 PM

AdwCleaner log:

# AdwCleaner v4.108 - Report created 17/01/2015 at 14:19:20
# Updated 17/01/2015 by Xplode
# Database : 2015-01-13.2 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Becky - BECKY-PC
# Running from : C:\Users\Becky\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

File Deleted : C:\Windows\Reimage.ini

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : [x64] HKLM\SOFTWARE\Reimage

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.17183

-\\ Mozilla Firefox v

*************************

AdwCleaner[R0].txt - [1188 octets] - [19/11/2014 10:58:37]
AdwCleaner[R1].txt - [850 octets] - [26/11/2014 13:32:55]
AdwCleaner[R2].txt - [1427 octets] - [17/01/2015 14:16:51]
AdwCleaner[S0].txt - [1215 octets] - [19/11/2014 11:12:05]
AdwCleaner[S1].txt - [1356 octets] - [17/01/2015 14:19:20]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1416 octets] ##########



#5 Beckianne

Beckianne
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:00 AM

Posted 17 January 2015 - 02:44 PM

Junkware Removal Tool log:

Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Home Premium x64
Ran by Becky on Sat 01/17/2015 at 14:36:32.92
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{911642FF-02E1-4691-B43D-02E858209311}
Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}
Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 01/17/2015 at 14:40:45.49
End of JRT log



#6 buddy215

buddy215

  • BC Advisor
  • 12,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:00 AM

Posted 17 January 2015 - 02:53 PM

Once you have completed the Eset Online scan, please do this:

 

Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#7 Beckianne

Beckianne
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:00 AM

Posted 17 January 2015 - 06:32 PM

ESET scan results:

 

 C:\Qoobox\Quarantine\Registry_backups\CLSID_{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}.reg.dat Win32/Poweliks.C trojan cleaned by deleting - quarantined
 



#8 Beckianne

Beckianne
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:00 AM

Posted 17 January 2015 - 06:51 PM

**I got the dreaded intrusion attempt message as Security Check was downloading**

Results of screen317's Security Check version 0.99.93
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Adobe Reader XI
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

#9 Beckianne

Beckianne
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:00 AM

Posted 17 January 2015 - 06:53 PM

Oh, and I also got the ABORT! message on the first attempt with Security Check. So, what does all this mean?

#10 buddy215

buddy215

  • BC Advisor
  • 12,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:00 AM

Posted 17 January 2015 - 08:14 PM

When did you run scan with ComboFix? It says it found and quarantined powelix.

 

Please download Powelikscleaner (by ESET) and save it to your Desktop.

  • Double-click ESETPoweliksCleaner.exe to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
  • Please let me know if Poweliks is found and removed as shown in the bottom image.

1.png
2.png


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#11 Beckianne

Beckianne
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:00 AM

Posted 17 January 2015 - 09:45 PM

Combofix?? Don't know that I ran Combofix - it was ESET that found the powelix. Are they one and the same?? Anyway, I'm running powelix cleaner now, per your instructions. And by the way, thank you SO much for your help!!

#12 Beckianne

Beckianne
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:00 AM

Posted 17 January 2015 - 09:58 PM

Success!! (I think) ESET Powerlikscleaner apparently found and removed that little critter, and actually left a log on my desktop, which I have pasted here.

[2015.01.17 21:46:37.317] - Begin
[2015.01.17 21:46:37.317] -
[2015.01.17 21:46:37.333] - ....................................
[2015.01.17 21:46:37.333] - ..::::::::::::::::::....................
[2015.01.17 21:46:37.333] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Win32/Poweliks
[2015.01.17 21:46:37.333] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 1.0.0.2
[2015.01.17 21:46:37.333] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: Jan 15 2015
[2015.01.17 21:46:37.333] - .::EE:::::::::::::SS:.EE..........TT......
[2015.01.17 21:46:37.333] - .::EEEEEE:::SSSSSS::..EEEEEE.....TT..... Copyright © ESET, spol. s r.o.
[2015.01.17 21:46:37.333] - ..::::::::::::::::::.................... 1992-2013. All rights reserved.
[2015.01.17 21:46:37.333] - ....................................
[2015.01.17 21:46:37.333] -
[2015.01.17 21:46:37.333] - --------------------------------------------------------------------------------
[2015.01.17 21:46:37.333] -
[2015.01.17 21:46:37.333] - INFO: OS: 6.1.7601 SP1
[2015.01.17 21:46:37.333] - INFO: Product Type: Workstation
[2015.01.17 21:46:37.333] - INFO: WoW64: True
[2015.01.17 21:46:37.333] - INFO: Machine guid: C8FEE31A-1798-4B54-8FE9-AD5F6DB91753
[2015.01.17 21:46:37.333] -
[2015.01.17 21:46:40.596] - INFO: Scanning for system infection...
[2015.01.17 21:46:40.596] - --------------------------------------------------------------------------------
[2015.01.17 21:46:40.596] -
[2015.01.17 21:46:40.596] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.01.17 21:46:40.596] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.01.17 21:46:40.596] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.01.17 21:46:40.596] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.01.17 21:46:40.596] - INFO: Processing classes...
[2015.01.17 21:46:40.596] - INFO: Processing clsid [\Registry\User\S-1-5-21-765362417-497060604-790761052-1000\SOFTWARE\Classes\CLSID\{7ad3508e-238c-584c-9c26-b0d3417ae12f}]
[2015.01.17 21:46:40.611] - INFO: Processing clsid [\Registry\User\S-1-5-21-765362417-497060604-790761052-1000\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2015.01.17 21:46:40.611] - WARNING: Found suspicious classid [\Registry\User\S-1-5-21-765362417-497060604-790761052-1000\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2015.01.17 21:46:40.611] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.17 21:46:40.611] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.17 21:46:40.611] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.17 21:46:40.611] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.17 21:46:40.611] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.17 21:46:40.611] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.17 21:46:40.611] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.17 21:46:40.611] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.17 21:46:40.611] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.17 21:46:40.611] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2015.01.17 21:46:40.611] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.01.17 21:46:40.627] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.01.17 21:46:40.627] - INFO: (XSW) Cleaning XSW
[2015.01.17 21:46:40.627] - INFO: (XSW) Processing users subkeys...
[2015.01.17 21:46:40.627] - INFO: Win32/Poweliks found
[2015.01.17 21:47:08.745] - INFO: process: dllhost.exe, pid 1528, parent 2916
[2015.01.17 21:47:08.745] - INFO: Terminated process pid = 1528
[2015.01.17 21:47:08.745] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.01.17 21:47:08.745] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.01.17 21:47:08.745] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.01.17 21:47:08.745] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.01.17 21:47:08.745] - INFO: Processing classes...
[2015.01.17 21:47:08.745] - INFO: Processing clsid [\Registry\User\S-1-5-21-765362417-497060604-790761052-1000\SOFTWARE\Classes\CLSID\{7ad3508e-238c-584c-9c26-b0d3417ae12f}]
[2015.01.17 21:47:08.745] - INFO: Processing clsid [\Registry\User\S-1-5-21-765362417-497060604-790761052-1000\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2015.01.17 21:47:08.745] - INFO: Deleted classid [\Registry\User\S-1-5-21-765362417-497060604-790761052-1000\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2015.01.17 21:47:08.761] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.17 21:47:08.761] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.17 21:47:08.761] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.17 21:47:08.761] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.17 21:47:08.761] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.17 21:47:08.761] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.17 21:47:08.761] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.17 21:47:08.761] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.17 21:47:08.761] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.17 21:47:08.761] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2015.01.17 21:47:08.761] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.01.17 21:47:08.761] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.01.17 21:47:08.761] - INFO: (XSW) Cleaning XSW
[2015.01.17 21:47:08.761] - INFO: (XSW) Processing users subkeys...
[2015.01.17 21:47:08.776] - INFO: Cleaning status: 1
[2015.01.17 21:48:02.152] - End

#13 buddy215

buddy215

  • BC Advisor
  • 12,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:00 AM

Posted 18 January 2015 - 06:13 AM

You should remove Combofix and it's backup folder which contains quarantined items such as Powelix.

Follow these steps to uninstall Combofix and all of its files and components.

  • Click START then RUN
  • Now type ComboFix /uninstall in the runbox and click OK. Note the space between the X and the /uninstall

There was a program found by AdwCleaner that is a piece of crapware....Reimage. It could be still listed in your Add/ Remove program list.

Open CCleaner and click on Tools. Choose Uninstall. On the bottom right of that page is a button when clicked will allow you to Copy and Paste the list of

installed programs into your next reply. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#14 Beckianne

Beckianne
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:00 AM

Posted 18 January 2015 - 09:19 AM

Again, I didn't download ComboFix to my computer.  I was running ESET per your instructions when the Trojan was found.  Where is it indicated I have ComboFix on my computer???  I carefully typed ComboFix /uninstall in the runbox, and Windows couldn't find it.  Or at least, that's the message I got.  I did a search as well and got the same result.  Anyway, here's the list that CCleaner generated:

 

Adobe AIR Adobe Systems Incorporated 1/15/2012  3.1.0.4880
Adobe Flash Player 16 ActiveX Adobe Systems Incorporated 1/13/2015 6.00 MB 16.0.0.257
Adobe Reader XI (11.0.06) Adobe Systems Incorporated 2/8/2014 128 MB 11.0.06
Amazon MP3 Downloader 1.0.15 Amazon Services LLC 1/15/2012  1.0.15
Amazon MP3 Uploader Amazon Services LLC 1/15/2012  1.0.7
CCleaner Piriform 1/18/2015  5.01
Cisco Connect Cisco Consumer Products LLC 8/2/2012  1.4.12005.2
Corel Business Applications  12/11/2014  
CyberLink DVD Suite Deluxe CyberLink Corp. 9/15/2010 36.1 MB 7.0.2115
DVD Menu Pack for HP MediaSmart Video Hewlett-Packard 9/15/2010 100 MB 3.1.3224
Firestorm-Release (remove only) The Phoenix Firestorm Project, Inc. 12/31/2014 195 MB 4.6.5.40833
HP Advisor Hewlett-Packard 9/15/2010 54.4 MB 3.4.10262.3295
HP Games WildTangent 10/13/2011  1.0.0.71
HP MediaSmart Demo Hewlett-Packard 9/15/2010 45.4 MB 1.00.0000
HP MediaSmart DVD Hewlett-Packard 9/15/2010 96.7 MB 3.1.3317
HP MediaSmart Music/Photo/Video Hewlett-Packard 9/15/2010 314 MB 3.1.3422
HP MediaSmart SmartMenu Hewlett-Packard 9/15/2010 1.95 MB 3.1.0.1
HP MediaSmart/TouchSmart Netflix Hewlett-Packard 9/15/2010 9.61 MB 1.0.2.0
HP Odometer Hewlett-Packard 9/15/2010 48.0 KB 2.10.0000
HP Setup Hewlett-Packard 9/15/2010  8.1.4186.3400
HP Support Information Hewlett-Packard 9/15/2010 160 KB 10.1.0002
HP Update Hewlett-Packard 9/15/2010 2.97 MB 5.002.003.003
HP Vision Hardware Diagnostics Hewlett-Packard 9/15/2010 11.2 MB 2.1.2.27173
LabelPrint CyberLink Corp. 9/15/2010 230 MB 2.5.2017
LightScribe System Software LightScribe 9/15/2010 24.6 MB 1.18.17.1
Lyra Jukebox Applications  1/15/2012  1.0.503
Microsoft .NET Framework 4.5.2 Microsoft Corporation 1/14/2015 38.8 MB 4.5.51209
Microsoft Live Search Toolbar Microsoft Live Search Toolbar 10/13/2011  3.0.566.0
Microsoft Silverlight Microsoft Corporation 9/15/2010 14.9 MB 3.0.40624.0
Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Corporation 9/15/2010 1.72 MB 3.1.0000
Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 9/15/2010 428 KB 8.0.56336
Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Corporation 9/15/2010 708 KB 8.0.56336
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Corporation 9/15/2010 788 KB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 Microsoft Corporation 9/15/2010 788 KB 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation 9/15/2010 596 KB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Corporation 9/15/2010 596 KB 9.0.30729.4148
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 Microsoft Corporation 3/16/2014 13.6 MB 10.0.30319
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 Microsoft Corporation 3/16/2014 9.89 MB 10.0.30319
Movie Theme Pack for HP MediaSmart Video Hewlett-Packard 9/15/2010 332 MB 3.1.3310
MSXML 4.0 SP2 (KB954430) Microsoft Corporation 10/17/2011 1.27 MB 4.20.9870.0
MSXML 4.0 SP2 (KB973688) Microsoft Corporation 10/17/2011 1.33 MB 4.20.9876.0
Norton Internet Security Symantec Corporation 11/26/2014  21.6.0.32
Norton Online Backup Symantec 9/15/2010 1.75 MB 1.2.20.0
NVIDIA Drivers NVIDIA Corporation 9/15/2010  1.5
NVIDIA Graphics Driver 307.83 NVIDIA Corporation 6/29/2013  307.83
NVIDIA Update 1.10.8 NVIDIA Corporation 6/29/2013  1.10.8
PlayReady PC Runtime amd64 Microsoft Corporation 9/15/2010 2.05 MB 1.3.0
Power2Go CyberLink Corp. 9/15/2010 169 MB 6.0.3304
PowerDirector CyberLink Corp. 9/15/2010 522 MB 7.0.3503
Realtek High Definition Audio Driver Realtek Semiconductor Corp. 9/15/2010  6.0.1.5938
WIDCOMM Bluetooth Software Broadcom Corporation 10/30/2011 183 MB 6.3.0.7500
Windows Live Essentials Microsoft Corporation 9/15/2010  14.0.8089.0726
Windows Live Sign-in Assistant Microsoft Corporation 9/15/2010 1.93 MB 5.000.818.5
Windows Live Sync Microsoft Corporation 9/15/2010 2.78 MB 14.0.8089.726
Windows Live Upload Tool Microsoft Corporation 9/15/2010 224 KB 14.0.8014.1029
Windstream Setup Assistant Windstream 3/12/2014 17.5 MB 8.3.1.7
 



#15 buddy215

buddy215

  • BC Advisor
  • 12,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:00 AM

Posted 18 January 2015 - 11:05 AM

The Qoobox folder is created by ComboFix. The Qoobox folder is where Eset said it found Powelix. I understand you did not personally install or use

ComboFix. I believe you. But I also think that Eset is correct, too. So, is it possible that someone else used ComboFix either another user or someone working

remotely or a repair shop in the last several months?

 

Follow the directions given in the link below for removing the Qoobox folder. There are other ways but this is likely the simplest without installing another program

or using a script. Fix – Can’t Delete Qoobox Folder

 

Unistall these programs or update them: (Firefox has its own PDF reader)

Adobe AIR Adobe Systems Incorporated 1/15/2012  3.1.0.4880

Adobe Reader XI (11.0.06) Adobe Systems Incorporated 2/8/2014 128 MB 11.0.06


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users