Gr8tFul4Hlp

CLOSED PC Infected with Trojan.Powelik, Angler.Exploit Kit and Adware.Maltree

Recommended Posts

Hello,

 

This issue has suddenly appeared within the last two weeks; computer is extremely slow, Norton keeps reporting it's blocked various malware, internet is grindingly slow (we're on Verizon DSL) and shutting down the computer is slow as it always says something is running when when we've closed all "visible" programs.

 

My system; Windows 7 Home premium, Service Pack 1

Dell Inspiron 1750 64 bit 2 GHz

Norton 360

 

Messages from Norton and the Computer;

Computer -

Powershell has stopped working

High Disk read usage by Com Surrogate

There are more than this but I'm not sure which are relevant.

 

Norton - reports that its blocked or removed (after a full scan, but of course they are still there) the following;

Adware.Maltree.TS!g23

Trojan.Powelik

Protecting your connection to a newly detected adapter "Teredo Tunneling Pseudo Interface (haven't installed any new hardware of software recently)

Angler Exploit Kit Website

There are more than this but I'm not sure which are relevant.

 

Attached are the three analysis files

 

Thanks,

 

Peter

 

Share this post


Link to post
Share on other sites

Peter,

Do the following:

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Confirm each time with OK.
  • You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
  • If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
Download Junkware Removal Tool and save it on your desktop.
  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
Copy the below code to Notepad; Save As fixlist.txt to your Desktop.
HKU\S-1-5-21-3330760137-3224318772-921977993-1006\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
2014-11-05 07:45 - 2014-11-05 07:45 - 00004040 _____ () C:\Windows\System32\Tasks\{6BC1CE10-36DE-53F0-F3F7-27D784CEF0EC}
2014-11-05 07:45 - 2014-11-05 07:45 - 00000000 _____ () C:\Users\MyraB\AppData\Roaming\yduoufg.dll
2014-10-30 17:58 - 2014-11-11 20:24 - 00000000 ____D () C:\Users\MyraB\AppData\Local\Idrnsoft
2014-10-30 17:58 - 2014-10-30 17:58 - 00000000 ____D () C:\Users\MyraB\AppData\Local\Olbics
2014-10-25 13:55 - 2014-10-25 13:56 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2014-10-25 13:55 - 2014-08-02 18:48 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{232F1B14-7126-491F-AC8C-6123BA58FDE2}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3330760137-3224318772-921977993-1006\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3330760137-3224318772-921977993-1006\SOFTWARE\SMARTBAR" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AU__RASAPI32" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AU__RASMANCS" /f
CustomCLSID: HKU\S-1-5-21-3330760137-3224318772-921977993-1006_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
Task: {DE21C0A8-BC04-42ED-B081-B7D883BDC841} - System32\Tasks\{6BC1CE10-36DE-53F0-F3F7-27D784CEF0EC} => C:\Users\MyraB\AppData\Roaming\jsvfkr.dll/s "C:\Users\MyraB\AppData\Roaming\jsvfkr.dll" <==== ATTENTION
AlternateDataStreams: C:\Users\FretPlayer\Documents\Slideshow.dmsm:Roxio EMC Stream
AlternateDataStreams: C:\Users\MyraB\Desktop\Priority Offer Get MYTHBUSTERS Tickets Before They Go On Sale to the Public.eml:OECustomProperty
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Hi Kevin,

 

Thanks for your quick response.

 

I ran the programs in the order you requested and have attached the corresponding files.

 

I have not used the computer enough yet to determine the outcome.

 

Thanks,

 

Peter

Share this post


Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST logs to your reply.

Share this post


Link to post
Share on other sites

Hi Kevin,

 

Booted up this morning (8am US EST) and Norton indicted the following (screen captures).  I believe this was while I was generating the additional log reports cited above.

 

Thanks,

 

Peter

Share this post


Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-3330760137-3224318772-921977993-1006\...\MountPoints2: E - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-3330760137-3224318772-921977993-1006\...\MountPoints2: {162aabcd-aac5-11e1-9077-806e6f6e6963} - D:\Welcome.exe
HKU\S-1-5-21-3330760137-3224318772-921977993-1006\...\MountPoints2: {f870e3f5-95d4-11e3-b87d-782bcbe0a52a} - E:\TL_Bootstrap.exe
2014-11-15 18:12 - 2014-11-15 18:12 - 40034920 ____T () C:\Windows\SysWOW64\00024786.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 40034920 ____T () C:\Windows\SysWOW64\00022959.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 40034920 ____T () C:\Windows\SysWOW64\00005598.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00032618.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00032321.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00032255.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00032126.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00031586.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00030033.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00028647.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00027144.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00027067.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00026594.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00026393.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00025924.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00025519.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00023594.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00023488.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00021968.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00021396.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00019303.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00019261.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00018796.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00018291.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00018171.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00017329.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00017063.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00016868.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00015816.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00015389.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00015376.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00015101.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00013772.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00012867.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00012541.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00012065.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00011991.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00011372.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00010882.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00010048.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00009209.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00009196.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00008939.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00008264.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00007461.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00005921.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00005852.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00003990.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00003217.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00002810.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00001688.tmp
2014-11-15 18:12 - 2014-11-15 18:12 - 01176168 ____T () C:\Windows\SysWOW64\00001271.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 40034920 ____T () C:\Windows\SysWOW64\00032388.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 40034920 ____T () C:\Windows\SysWOW64\00030027.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00032209.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00030455.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00030317.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00029665.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00027770.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00025948.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00025541.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00024844.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00023869.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00022948.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00022128.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00020700.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00019766.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00019566.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00019226.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00019212.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00018555.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00018062.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00017682.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00015483.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00014847.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00014063.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00013463.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00012226.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00012171.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00011054.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00010333.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00009796.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00006679.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00005620.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00005485.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00005120.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00004985.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00004898.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00003768.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00002871.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00002783.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00001962.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00001323.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00001031.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00001030.tmp
2014-11-15 17:46 - 2014-11-15 17:46 - 01176168 ____T () C:\Windows\SysWOW64\00000799.tmp
2014-11-15 17:43 - 2014-11-15 17:44 - 40034920 ____T () C:\Windows\SysWOW64\00019275.tmp
2014-11-18 20:53 - 2012-05-14 21:59 - 00000000 ____D () C:\ProgramData\PCDr
2014-11-17 22:54 - 2012-05-30 20:14 - 00000000 ____D () C:\Users\FretPlayer\AppData\Roaming\PCDr
C:\Users\FretPlayer\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp9xqtxh.dll
C:\Users\FretPlayer\AppData\Local\Temp\Quarantine.exe
C:\Users\FretPlayer\AppData\Local\Temp\sqlite3.dll
Reg: reg delete "HKEY_USERS\S-1-5-21-3330760137-3224318772-921977993-1006\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLETASKMGR" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3330760137-3224318772-921977993-1006\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLEREGISTRYTOOLS" /f
CustomCLSID: HKU\S-1-5-21-3330760137-3224318772-921977993-1006_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\FretPlayer\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-3330760137-3224318772-921977993-1006_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\FretPlayer\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
AlternateDataStreams: C:\Users\MyraB\Desktop\Priority Offer Get MYTHBUSTERS Tickets Before They Go On Sale to the Public.eml:OECustomProperty
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

One more time.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Share this post


Link to post
Share on other sites

Everything looks good.

Unless you are having problems, it is time to do the final steps.

Uninstall AdwCleaner:

  • Close all open programs and Internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Uninstall button.
  • Confirm by clicking Yes.
Delete the following from your Desktop: (If they exist)

AdwCleaner.exe

Emsisoft Emergency Kit.lnk

FRST.exe

FRST64.exe

JRT.exe

JRT.txt

Anything else I had you use

Delete the following folders: (If they exist)

C:\AdwCleaner

C:\EEK

C:\FRST

Empty the Recycle Bin

Download to your Desktop:

- CCleaner Portable

  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner
Run CCleaner
  • Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • The following should be selected by default, if not, please select:

    4l5a4i.png

  • Click 16jox2o.png and choose 5x3nu8.gif
  • Uncheck 2wlsw11.gif
  • Then go back to 2jb4qyb.gif and click nf47ev.gif to run it.
  • Exit CCleaner.
Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Install and run the Secunia Personal Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:

How to Protect Your Computer From Malware

How to keep you and your Windows PC happy

Web, email, chat, password and kids safety

10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites

HI Kevin,

 

I wish I could confirm that all is well.

 

My wife reported that he login has continued to be non-functional; being sluggish, with many Windows error messages and Norton 360 scan messages.

 

Even though  I think (attached) scans done in her login looked good I witnessed my error messages and Norton attempting to block the malware.

 

The system error "Powershell has stopped working" kept happening every few minutes and the system usage was through the roof.

 

Any ideas on how this can be happening?  We've rebooted many times and I did the wrap-up you recommended on her login as well.

 

Thanks,

 

Peter

Share this post


Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

(Google Inc.) C:\Users\MyraB\AppData\LocalLow\Adobe\edcvyol\ctpydgjai\Dnyyxcbcrng.exe
(Google Inc.) C:\Users\MyraB\AppData\LocalLow\Adobe\edcvyol\ctpydgjai\Dnyyxcbcrng.exe
(Google Inc.) C:\Users\MyraB\AppData\LocalLow\Adobe\edcvyol\ctpydgjai\Dnyyxcbcrng.exe
(Google Inc.) C:\Users\MyraB\AppData\LocalLow\Adobe\edcvyol\ctpydgjai\Dnyyxcbcrng.exe
(Google Inc.) C:\Users\MyraB\AppData\LocalLow\Adobe\edcvyol\ctpydgjai\Dnyyxcbcrng.exe
(Google Inc.) C:\Users\MyraB\AppData\LocalLow\Adobe\edcvyol\ctpydgjai\Dnyyxcbcrng.exe
(Google Inc.) C:\Users\MyraB\AppData\LocalLow\Adobe\edcvyol\ctpydgjai\Dnyyxcbcrng.exe
(Google Inc.) C:\Users\MyraB\AppData\LocalLow\Adobe\edcvyol\ctpydgjai
(Google Inc.) C:\Users\MyraB\AppData\LocalLow\Adobe\edcvyol
HKU\S-1-5-21-3330760137-3224318772-921977993-1005\...\Run: [bafkrtaaq] => regsvr32.exe /s "C:\Users\MyraB\AppData\Local\Temp\27c0\AppData\Local\Microsoft\bafkrtaaq.dll" <===== ATTENTION
HKU\S-1-5-21-3330760137-3224318772-921977993-1005\...\MountPoints2: {2eafcb2c-30ea-11e3-9a9a-782bcbe0a52a} - E:\LaunchU3.exe -a
HKU\S-1-5-21-3330760137-3224318772-921977993-1005\...\MountPoints2: {eee49d6a-8219-11e3-8485-782bcbe0a52a} - E:\TL_Bootstrap.exe
HKU\S-1-5-21-3330760137-3224318772-921977993-1005\...\MountPoints2: {f870e3f5-95d4-11e3-b87d-782bcbe0a52a} - E:\TL_Bootstrap.exe
HKU\S-1-5-21-3330760137-3224318772-921977993-1005\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
ShortcutTarget: Dropbox.lnk -> C:\Users\MyraB\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
SearchScopes: HKU\S-1-5-21-3330760137-3224318772-921977993-1005 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
Toolbar: HKU\S-1-5-21-3330760137-3224318772-921977993-1005 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
S2 SessionLauncher; C:\Users\GUITAR~1\AppData\Local\Temp\DX9\SessionLauncher.exe [X]
2014-11-22 22:07 - 2014-11-22 22:07 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2014-11-19 18:29 - 2014-11-19 18:30 - 00000000 ____D () C:\Users\FretPlayer\AppData\Roaming\PCDr
2014-11-19 18:28 - 2014-11-19 18:28 - 00000000 ____D () C:\ProgramData\PCDr
C:\Users\FretPlayer\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpw9luz7.dll
C:\Users\MyraB\AppData\Local\Temp\czdptwc.dll
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

C:\Users\MyraB\AppData\LocalLow\Adobe\edcvyol\ctpydgjai\Dnyyxcbcrng.exe
C:\Users\MyraB\AppData\LocalLow\Adobe\edcvyol\ctpydgjai
C:\Users\MyraB\AppData\LocalLow\Adobe\edcvyol
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Ok Kevin,

 

I went back and did the original scans as well - something doesn't seem to be working - her profile is still infected. The recent history file is a Norton report from her profile.

 

Peter

Share this post


Link to post
Share on other sites

The logs look fine. The firewall activity listed in the Norton results log look normal.

How are things running?

Share this post


Link to post
Share on other sites

HI,

 

My user profile seems fine.

 

Myra's still seems a bit sluggish and these notices can==me after all the cleaning was complete.

 

Attached are what Norton 360 and Windows says.  To my read, these says that the "attack" originated from our P.C. but maybe I'm reading that wrong.  Do these attacks represent, instead, that other computers are looking for their zombie (my PC) and can't connect to it anymore?

 

Many websites seem to connect the Powershell issue to the Powelik - the error message still pops up every few minutes depending on what software is being used.  Her user profile is "better" but still runs more sluggish.

 

Any thoughts?

 

Thanks,

 

Peter

Share this post


Link to post
Share on other sites

The dllhost file appears to be infected.

Download ComboFix from Link

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

!!! IMPORTANT !!! Save ComboFix to your Desktop

NOTE: ComboFix is an advanced utility, and is not like traditional automated tools. It will delete anything that it knows is bad without asking for confirmation, it will save backup copies in it's quarantine automatically, it will restart your computer, and it will produce a log that allows me to analyze and determine if there is anything left over. This log will not contain any personal information, or information about any of your documents, pictures, music, videos, etc. It only compiles information on which applications/drivers/etc were installed within the last 30 days, any applications that have certain properties that could be used for malicious purposes, and most of the load points on your system that can be abused by malicious software. If there is a false positive, and something gets deleted that should not, then I can write a script for ComboFix that will tell it to restore specific items that it deleted.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    See HERE for help

  • Double click on Combo-Fix & follow the prompts.
When finished, ComboFix will produce a log.

NOTE:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

3. If you get a message that states "illegal operation attempted on a registry key that has been marked for deletion" restart your computer.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

c:\users\FretPlayer\AppData\Roaming\PCDr
c:\programdata\PCDr
c:\programdata\Microsoft\PlayReady\edcvyol\mtlexkuo\kuhulzoku.js
c:\programdata\Microsoft\PlayReady\edcvyol\mtlexkuo
c:\programdata\Microsoft\PlayReady\edcvyol
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

HI Kevin,

 

This is quite frustrating.  Ran the tool and the log is attached.

 

My wife's user profile is still quite slow and Norton immediately fired off the attached warnings (screenshots) plus the old PowerShell has stopped notice.

 

Any new ideas as to how to rid ourselves of theses pests?

 

Thanks,

 

Peter

Fixlog.txt

post-34357-0-75710400-1417662562_thumb.jpg
Download Image

post-34357-0-92582100-1417662564_thumb.jpg
Download Image

post-34357-0-12719500-1417662567_thumb.jpg
Download Image

Share this post


Link to post
Share on other sites

From your wifes profile:

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Confirm each time with OK.
  • You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
  • If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
Download Junkware Removal Tool and save it on your desktop.
  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

Share this post


Link to post
Share on other sites

From you Wife's profile.

From you Wife's profile.

Download to your Desktop:

NOTE: If you are unable to download the tools from the infected system, the tools can be saved to a USB flash drive and then transferred to the infected system.

This is an information gathering stage. A removal procedure will be formulated once I review the contents of the logs.

All scans are to be run in Normal Mode. Do not run anything in "Safe Mode", unless you are instructed to do so by myself.

Do not force Safe Mode. Instructions on How to Boot to "Safe Mode" can be found at: http://www.malwareteks.com/kb/SafeMode.php

Let's get started:

  • Install and Run Emsisoft Emergency Kit (EEK):
    • Double click EmergencyKitScanner.exe to install EEK
    • When the installation of EEK is complete the Emergency Kit scanner will run.
    • Click "Yes" to Update Emsisoft Emergency Kit
    • Put the mouse cursor over the "Menu" tab on the left and click-on "Scan PC".
    • Select "Smart Scan" and click-on the "Scan" button.
    • IMPORTANT: Do not quarantine or delete anything. We just want the scan log without anything being quarantined or deleted.
    • Save the scan log somewhere that you can find it.
    • Exit Emsisoft Emergency Kit.
  • Run Farbar Recovery Scan Tool (FRST):
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • Farbar Recovery Scan Tool will produce the following logs:
      • FRST.txt
      • Addition.txt
Attach the following logs to your reply:
  • Emsisoft Emergency Kit Scan log (C:\EEK\bin\Reports)
  • FRST.txt
  • Addition.txt

Share this post


Link to post
Share on other sites

From your wifes profile.

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Confirm each time with OK.
  • You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
  • If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
Download Junkware Removal Tool and save it on your desktop.
  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
Copy the below code to Notepad; Save As fixlist.txt to your Desktop.
HKU\S-1-5-21-3330760137-3224318772-921977993-1005\...\Run: [bafkrtaaq] => regsvr32.exe /s "C:\Users\MyraB\AppData\Local\Temp\1050\AppData\Local\Microsoft\bafkrtaaq.dll" <===== ATTENTION
HKU\S-1-5-21-3330760137-3224318772-921977993-1005\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Startup: C:\Users\FretPlayer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\MyraB\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)
SearchScopes: HKU\S-1-5-21-3330760137-3224318772-921977993-1005 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
Toolbar: HKU\S-1-5-21-3330760137-3224318772-921977993-1005 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
2014-12-05 09:42 - 2014-12-05 09:42 - 40034920 ____T () C:\Windows\SysWOW64\00009027.tmp
2014-12-04 22:43 - 2014-12-04 22:43 - 01176168 ____T () C:\Windows\SysWOW64\00031790.tmp
2014-12-04 22:43 - 2014-12-04 22:43 - 01176168 ____T () C:\Windows\SysWOW64\00026071.tmp
2014-12-04 22:43 - 2014-12-04 22:43 - 01176168 ____T () C:\Windows\SysWOW64\00023805.tmp
2014-12-04 22:43 - 2014-12-04 22:43 - 01176168 ____T () C:\Windows\SysWOW64\00014760.tmp
2014-12-04 22:43 - 2014-12-04 22:43 - 01176168 ____T () C:\Windows\SysWOW64\00009387.tmp
2014-12-04 22:43 - 2014-12-04 22:43 - 01176168 ____T () C:\Windows\SysWOW64\00007473.tmp
2014-12-04 22:43 - 2014-12-04 22:43 - 01176168 ____T () C:\Windows\SysWOW64\00002877.tmp
2014-12-04 22:42 - 2014-12-04 22:42 - 01176168 ____T () C:\Windows\SysWOW64\00031127.tmp
2014-12-04 22:42 - 2014-12-04 22:42 - 01176168 ____T () C:\Windows\SysWOW64\00028068.tmp
2014-12-04 22:42 - 2014-12-04 22:42 - 01176168 ____T () C:\Windows\SysWOW64\00023473.tmp
2014-12-04 22:42 - 2014-12-04 22:42 - 01176168 ____T () C:\Windows\SysWOW64\00019916.tmp
2014-12-04 22:42 - 2014-12-04 22:42 - 01176168 ____T () C:\Windows\SysWOW64\00018382.tmp
2014-12-04 22:42 - 2014-12-04 22:42 - 01176168 ____T () C:\Windows\SysWOW64\00011593.tmp
2014-12-04 22:42 - 2014-12-04 22:42 - 01176168 ____T () C:\Windows\SysWOW64\00003339.tmp
2014-12-04 22:41 - 2014-12-04 22:41 - 01176168 ____T () C:\Windows\SysWOW64\00032762.tmp
2014-12-04 22:41 - 2014-12-04 22:41 - 01176168 ____T () C:\Windows\SysWOW64\00031237.tmp
2014-12-04 22:41 - 2014-12-04 22:41 - 01176168 ____T () C:\Windows\SysWOW64\00029518.tmp
2014-12-04 22:41 - 2014-12-04 22:41 - 01176168 ____T () C:\Windows\SysWOW64\00022153.tmp
2014-12-04 22:41 - 2014-12-04 22:41 - 01176168 ____T () C:\Windows\SysWOW64\00021645.tmp
2014-12-04 22:41 - 2014-12-04 22:41 - 01176168 ____T () C:\Windows\SysWOW64\00021091.tmp
2014-12-04 22:41 - 2014-12-04 22:41 - 01176168 ____T () C:\Windows\SysWOW64\00019612.tmp
2014-12-04 22:41 - 2014-12-04 22:41 - 01176168 ____T () C:\Windows\SysWOW64\00016653.tmp
2014-12-04 22:41 - 2014-12-04 22:41 - 01176168 ____T () C:\Windows\SysWOW64\00013389.tmp
2014-12-04 22:41 - 2014-12-04 22:41 - 01176168 ____T () C:\Windows\SysWOW64\00011172.tmp
2014-12-04 22:41 - 2014-12-04 22:41 - 01176168 ____T () C:\Windows\SysWOW64\00008498.tmp
2014-12-04 22:41 - 2014-12-04 22:41 - 01176168 ____T () C:\Windows\SysWOW64\00006067.tmp
2014-12-04 22:41 - 2014-12-04 22:41 - 01176168 ____T () C:\Windows\SysWOW64\00001866.tmp
2014-12-04 22:40 - 2014-12-04 22:40 - 01176168 ____T () C:\Windows\SysWOW64\00032063.tmp
2014-12-04 22:40 - 2014-12-04 22:40 - 01176168 ____T () C:\Windows\SysWOW64\00030086.tmp
2014-12-04 22:40 - 2014-12-04 22:40 - 01176168 ____T () C:\Windows\SysWOW64\00028294.tmp
2014-12-04 22:40 - 2014-12-04 22:40 - 01176168 ____T () C:\Windows\SysWOW64\00028045.tmp
2014-12-04 22:40 - 2014-12-04 22:40 - 01176168 ____T () C:\Windows\SysWOW64\00027408.tmp
2014-12-04 22:40 - 2014-12-04 22:40 - 01176168 ____T () C:\Windows\SysWOW64\00027360.tmp
2014-12-04 22:40 - 2014-12-04 22:40 - 01176168 ____T () C:\Windows\SysWOW64\00024168.tmp
2014-12-04 22:40 - 2014-12-04 22:40 - 01176168 ____T () C:\Windows\SysWOW64\00018269.tmp
2014-12-04 22:40 - 2014-12-04 22:40 - 01176168 ____T () C:\Windows\SysWOW64\00011260.tmp
2014-12-04 22:40 - 2014-12-04 22:40 - 01176168 ____T () C:\Windows\SysWOW64\00006845.tmp
2014-12-04 22:40 - 2014-12-04 22:40 - 01176168 ____T () C:\Windows\SysWOW64\00005859.tmp
2014-12-04 22:40 - 2014-12-04 22:40 - 01176168 ____T () C:\Windows\SysWOW64\00005478.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00032092.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00030639.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00030566.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00030275.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00029267.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00021157.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00020422.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00018790.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00017636.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00015827.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00015548.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00013438.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00011349.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00011150.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00010871.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00010740.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00007704.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00006353.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00001777.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00001570.tmp
2014-12-04 22:39 - 2014-12-04 22:39 - 01176168 ____T () C:\Windows\SysWOW64\00001225.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 40034920 ____T () C:\Windows\SysWOW64\00023929.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 40034920 ____T () C:\Windows\SysWOW64\00023306.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00032210.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00031714.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00030211.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00030189.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00029374.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00028484.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00027144.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00026282.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00025905.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00024650.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00022337.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00021987.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00021193.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00020449.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00020235.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00019317.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00019040.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00016247.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00014537.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00014182.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00013556.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00013455.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00010858.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00007307.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00005497.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00005331.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00004831.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00004009.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00003986.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00002646.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00001705.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00001505.tmp
2014-12-04 22:38 - 2014-12-04 22:38 - 01176168 ____T () C:\Windows\SysWOW64\00000377.tmp
2014-12-04 22:37 - 2014-12-04 22:37 - 40034920 ____T () C:\Windows\SysWOW64\00028945.tmp
2014-12-04 22:24 - 2014-12-04 22:24 - 00384512 _____ () C:\Windows\jKqTwmgCLybxnbA.exe
C:\Users\FretPlayer\AppData\Local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpbfilxq.dll
C:\Users\MyraB\AppData\Local\temp\yvwvuzk.dll
C:\Users\MyraB\AppData\Local\Temp\1050\AppData\Local\Microsoft\bafkrtaaq.dll
Reg: reg delete "HKEY_USERS\S-1-5-21-3330760137-3224318772-921977993-1005\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLETASKMGR" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLEREGISTRYTOOLS" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3330760137-3224318772-921977993-1005\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLEREGISTRYTOOLS" /f
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.