Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Sept 30, 2014 15:50:35 GMT -8
From the Norton alert Info
Poweliks alerts date and time 9/30/2014 2:17:08 AM
Anti-Tamper alert 9/30/2014 6:19:51 PM
That is a large time difference for any Poweliks alerts, so maybe Poweliks just could not carry on and as you restarted the system it stopped Powliks trying to reinfect the system (for more than 12 hours now) And so FRST and MBAR has no Powliks to find.
Quads
|
|
|
Post by kmcard on Sept 30, 2014 17:40:45 GMT -8
Yes and no. I've been gone most of the day and while I'm away, I disconnect from the internet. I'm not sure what all Poweliks is doing, but I want to be at my computer monitoring via Task Manager in case it loads all of those dllhost.exe processes. I'm not convinced that we have it completely under control just quite yet.
What should our next step be?
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Sept 30, 2014 17:53:47 GMT -8
The Registry key is what goes on to use dllhost.exe
No registry key, no over active dllhost, so unless there was a ad on a website with exploit kit, in the browser that tried again and you stopped the steps by doing the quick shut down of the system has been successful in stopping re infection or something similar. It means the registry key is not there.
Intrusion Prevention would have continued to alert to the blocking of network traffic as so as on the net for Powelik addresses for the downloading of MBAR or posting in this forum.
Quads
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Sept 30, 2014 18:28:50 GMT -8
On with step 4, Complete system check for any file and cleanup of items and tools used. Special attention to the different settings I have asked for below You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.
Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan
Click the For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on Posted Image to download the ESET Smart Installer. Save it to your desktop. Double click on the icon on your desktop. Check Click the button. Accept any security warnings from your browser. Under scan settings, check and DON'T (NO) check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
Click Advanced settings and select the following: Scan potentially unwanted applications Scan for potentially unsafe applications Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. Attach the resulting log in your next reply The scanner screen gives me the option of saving the results to a .txt file as part of the options after the scan has finished. Screenshot of part of the finished scan dialog box by ESET showing the options. List found threats and at the bottom of the listings is the options to save the list. Quads
|
|
|
Post by kmcard on Oct 1, 2014 7:59:56 GMT -8
I click the checkbox for "Yes, I accept the terms of use" and click Start. I get the error message "An add-on for this website failed to run".
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 1, 2014 9:53:56 GMT -8
3 users with this problem. One of the users worked it out, though did 2 things
They disabled the popup blocker and reset IE, maybe it was just the popup blocker.
I would have to look up how to disable the popup blocker.
Quads
|
|
|
Post by kmcard on Oct 1, 2014 12:54:46 GMT -8
I added www.eset.com to the list of allowed sites in Popup Blocker settings and am scanning now.
|
|
|
Post by kmcard on Oct 1, 2014 14:41:16 GMT -8
Here are the results of running eset.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 1, 2014 14:54:54 GMT -8
There is the leftover Poweliks .dll (should be dead) TfsStore\Tfs_DAV\yu0.dll
Interesting name given for one lot of detections hahahahahaha
Quads
|
|
|
Post by kmcard on Oct 1, 2014 15:01:57 GMT -8
Yes, I thought that was funny too! What should I do with it?
|
|