Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with poweliks from the firefox update scam...(I think)


  • This topic is locked This topic is locked
13 replies to this topic

#1 brantheion

brantheion

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:39 PM

Posted 26 October 2016 - 10:49 PM

Tried to remove with several tools. Emsisoft antimalware...iobit...and that one that bleepingmalware is being sued by...

 

It does not seem to be going away. Also, maybe of note, getting bsods when coming out of hibernation. Also, the mic is constantly muting. Not sure those last two are relevant to the issue but thought I would mention since they are recent occurences.

 

Thanks for any assistance.

 

This is a laptop HP G2 Zbook if that is helpful. 16g of ram.

 

spotted these guys in the frst.txt log 

 
HKU\S-1-5-21-1622503926-640602293-3135749681-1321\...\Run: [**ysuvcr<*>] => "C:\Users\Jeff.000\AppData\Local\92e42\1a1ae.lnk" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1622503926-640602293-3135749681-1321\...\Run: [**phbv<*>] => "C:\windows\system32\mshta.exe" javascript:uEu7B="1f1Yh";T77f=new%20ActiveXObject("WScript.Shell");k9tPgN="zaLMG";C5sSP=T77f.RegRead("HKCU\\software\\pdxeakwqp\\ahbuni");KsKM1Q="lpRa0an2";eval(C5sSP); (the data entry has 14 more characters). <===== ATTENTION (Value Name with invalid characters)
 
and this guy in the addition.txt log
 
HKU\S-1-5-21-1622503926-640602293-3135749681-1321\Software\Classes\4dfc9: "C:\windows\system32\mshta.exe" "javascript:f9I4sXQQ="M";M3l=new ActiveXObject("WScript.Shell");RD21kL="X6Y";S0qbp=M3l.RegRead("HKCU\\software\\pdxeakwqp\\ahbuni");DIYcRo3="Gm";eval(S0qbp);PlBux9="o2FvT";" <===== ATTENTION
 
not sure if that is any help...

Attached Files

  • Attached File  FRST.txt   169.38KB   3 downloads


BC AdBot (Login to Remove)

 


#2 brantheion

brantheion
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:39 PM

Posted 26 October 2016 - 10:51 PM

Forgot to attach....

Attached Files



#3 brantheion

brantheion
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:39 PM

Posted 27 October 2016 - 11:11 AM

If there is a tutorial for removal of this elsewhere on the site I could not find it. Feel free to point me in that direction if need be...Again thanks for any assistance.



#4 brantheion

brantheion
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:39 PM

Posted 28 October 2016 - 09:32 AM

Is there no infection?...



#5 brantheion

brantheion
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:39 PM

Posted 28 October 2016 - 01:29 PM

This is the path I am following now. 

 

https://support.norton.com/sp/en/us/home/current/solutions/v105110580_EndUserProfile_en_us

 

Once I have followed those steps I will run frst again and post new logs.



#6 brantheion

brantheion
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:39 PM

Posted 28 October 2016 - 11:13 PM

So I followed the Norton guide. The first one found something and I deleted those files. The second scan did not find anything excepting trillian (which I use).

 

I have run FRST again and here are the files. Could someone take a look at them and let me know if I have missed something?

 

Thanks for your time.

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:39 PM

Posted 29 October 2016 - 05:37 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-1622503926-640602293-3135749681-1321\...\Run: [**ysuvcr<*>] => "C:\Users\Jeff.000\AppData\Local\92e42\1a1ae.lnk" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1622503926-640602293-3135749681-1321\...\Run: [**phbv<*>] => "C:\windows\system32\mshta.exe" javascript:uEu7B="1f1Yh";T77f=new%20ActiveXObject("WScript.Shell");k9tPgN="zaLMG";C5sSP=T77f.RegRead("HKCU\\software\\pdxeakwqp\\ahbuni");KsKM1Q="lpRa0an2";eval(C5sSP); (the data entry has 14 more characters). <===== ATTENTION (Value Name with invalid characters)
GroupPolicy: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF user.js: detected! => C:\Users\Jeff.000\AppData\Roaming\Mozilla\Firefox\Profiles\4hbpfiza.default\user.js [2016-01-19]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (New Tab Redirect) - C:\Users\Jeff.000\AppData\Local\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna [2015-04-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jeff.000\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]
CHR Extension: (Chrome Media Router) - C:\Users\Jeff.000\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-18]
CHR Extension: (Honey) - C:\Users\Jeff.000\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj [2016-10-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jeff.000\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-10-26]
CHR Extension: (Amazon Assistant for Chrome) - C:\Users\Jeff.000\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pbjikboenpfhbbejgkoklgkhjpfogcam [2016-10-26]
CHR Extension: (Chrome Media Router) - C:\Users\Jeff.000\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-26]
S3 cpuz136; no ImagePath
S1 ZAM; no ImagePath
S1 ZAM_Guard; no ImagePath
S3 RSUSBSTOR; \SystemRoot\System32\Drivers\RtsUStor.sys [X]
S3 RSUSBVSTOR; \SystemRoot\System32\Drivers\RtsUVStor.sys [X]
C:\Users\Jeff.000\AppData\Local\92e42
Startup: C:\Users\Jeff.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5160b.lnk [2016-10-26]
ShortcutTarget: 5160b.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Startup: C:\Users\Jeff.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4469.lnk [2016-10-26]
ShortcutTarget: a4469.lnk -> C:\Windows\System32\mshta.exe (Microsoft Corporation)
Startup: C:\Users\Jeff.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5160b.lnk [2016-10-26]
ShortcutTarget: 5160b.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Startup: C:\Users\Jeff.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4469.lnk [2016-10-26]
ShortcutTarget: a4469.lnk -> C:\Windows\System32\mshta.exe (Microsoft Corporation)
C:\Users\Jeff.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5160b.lnk
C:\Users\Jeff.000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4469.lnk
HKU\S-1-5-21-1622503926-640602293-3135749681-1321\Software\Classes\4dfc9: "C:\windows\system32\mshta.exe" "javascript:f9I4sXQQ="M";M3l=new ActiveXObject("WScript.Shell");RD21kL="X6Y";S0qbp=M3l.RegRead("HKCU\\software\\pdxeakwqp\\ahbuni");DIYcRo3="Gm";eval(S0qbp);PlBux9="o2FvT";" <===== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the fixlog.xt and let me know what problem pesists.

#8 brantheion

brantheion
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:39 PM

Posted 30 October 2016 - 05:25 PM

will do. Thanks. Be a couple of hours before I can do this.



#9 brantheion

brantheion
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:39 PM

Posted 31 October 2016 - 08:23 AM

Here is the fixlog.

 

Thanks. Sorry for the delay.

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:39 PM

Posted 31 October 2016 - 08:41 AM

Has the problem been solved?

#11 brantheion

brantheion
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:39 PM

Posted 31 October 2016 - 09:20 AM

Looking. I will let you know within the hour.



#12 brantheion

brantheion
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:39 PM

Posted 31 October 2016 - 10:23 AM

I do not see evidence that the bug is there any longer. Thanks.



#13 brantheion

brantheion
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:39 PM

Posted 31 October 2016 - 10:26 AM

If it manifests itself again should I reply here or start a new thread? Really appreciate.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:39 PM

Posted 01 November 2016 - 08:34 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

p.s.
I will leave this topic open for 6 days. If needed reply in this topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users