Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

SFasihi: Result from - Adclick and Powelik shf

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

SFasihi: Result from - Adclick and Powelik shf

Unread postby sfasihi » December 8th, 2014, 1:38 pm

Hi. Gary R.
I received your last instruction Friday 4th. I did not want to bother over weekend - ran your instruction which created these logs. But you have closed my thread. Sorry I just wanted wait till Monday instead of the weekend.
Here is log generated by last instructions.
Hoping you accept these logs. Thanks
Regards SFasihi
===== ==========
All processes killed
========== OTL ==========
File C:\Users\SFasihi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gagcbogmgkaogoadfcoicjdojbmkegao\1.0.1_0 not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{9D425283-D487-4337-BAB6-AB8354A81457} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
C:\Windows\LMI6C3A.tmp\backup.ini deleted successfully.
C:\Windows\LMI6C3A.tmp\ICSAgent32.dll deleted successfully.
C:\Windows\LMI6C3A.tmp\LMIRhook.000.dll deleted successfully.
C:\Windows\LMI6C3A.tmp\lmi_rescue.exe deleted successfully.
C:\Windows\LMI6C3A.tmp\LMI_Rescue_srv.exe deleted successfully.
C:\Windows\LMI6C3A.tmp\logo.bmp deleted successfully.
C:\Windows\LMI6C3A.tmp\params.txt deleted successfully.
C:\Windows\LMI6C3A.tmp\ra64app.exe deleted successfully.
C:\Windows\LMI6C3A.tmp\rahook.dll deleted successfully.
C:\Windows\LMI6C3A.tmp\rarcc.dll deleted successfully.
C:\Windows\LMI6C3A.tmp\rescue.ico deleted successfully.
C:\Windows\LMI6C3A.tmp\rescue.log deleted successfully.
C:\Windows\LMI6C3A.tmp\session.log deleted successfully.
C:\Windows\LMI6C3A.tmp\unattended.exe deleted successfully.
C:\Windows\LMI6C3A.tmp\unlock.dll deleted successfully.
C:\Windows\LMI6C3A.tmp\unlock64.dll deleted successfully.
C:\Windows\LMI6C3A.tmp folder deleted successfully.
C:\Program Files (x86)\GUM512B.tmp folder deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\SFasihi\Desktop\cmd.bat deleted successfully.
C:\Users\SFasihi\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56502 bytes

User: Default User

User: Public

User: SFasihi
->Temp folder emptied: 108515790 bytes
->Temporary Internet Files folder emptied: 104931725 bytes
->Java cache emptied: 28031 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 39605 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 18805948 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67490 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 222.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.69.0 log created on 12082014_114220

Files\Folders moved on Reboot...
C:\Users\SFasihi\AppData\Local\Temp\cf4\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUKB8AF7\filtered[1].htm moved successfully.
C:\Users\SFasihi\AppData\Local\Temp\cf4\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
C:\Users\SFasihi\AppData\Local\Temp\cf4\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT moved successfully.
C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\20-ways-to-make-20-fast[1].htm moved successfully.
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\300x250[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\4651[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\728x90[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\;ord=3302764024804833067[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\;ord=3358171385930500182[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\AdDisplayTrackerServlet[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\AdDisplayTrackerServlet[2].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\AdDisplayTrackerServlet[3].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\cJZKeOuBrn4kERxqtaUH3T8E0i7KZn-EPnyo3HZu7kw[1].woff not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\comments[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\createASLId[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\evC1haE-MsorTl_A7_uSGT8E0i7KZn-EPnyo3HZu7kw[1].woff not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\ff2[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\follow_button.93c9003dd72a6cd9f4fee1e5eb3546c1.en[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\fontawesome-webfont[1].eot not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\Genericons[1].eot not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\getAds[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\icons.47c6a1ac947c34190cda1cafe989ed8b[1].eot not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\like[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\match[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\match[2].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\net[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\Noticons[1].eot not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\ODelI1aHBYDBqgeIAH2zlBM0YzuT7MdOe03otPbuUS0[1].woff not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\pxj[1].gif not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\rvt[1].html not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\SHIcXhdd5RknatSgOzyEkA[1].woff not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\toadOcfmlt9b38dHJxOBGFkQc6VGVFSmCnC_l7QZG60[1].woff not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\toadOcfmlt9b38dHJxOBGJ6-ys_j0H4QL65VLqzI3wI[1].woff not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\toadOcfmlt9b38dHJxOBGNbE_oMaV8t2eFeISPpzbdE[1].woff not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\usersync[1].gif not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\usersync[2].gif not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\user_sync[1].htm not found!
File\Folder C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\ZvcMqxEwPfh2qDWBPxn6nnl4twXkwp3_u9ZoePkT564[1].woff not found!
C:\Users\SFasihi\AppData\Local\Temp\b2c\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File\Folder C:\Users\SFasihi\AppData\Local\Temp\flaC60D.tmp not found!
C:\Users\SFasihi\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\SFasihi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUKB8AF7\7r8gQb8MIqE[2].htm moved successfully.
C:\Users\SFasihi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUKB8AF7\7r8gQb8MIqE[3].htm moved successfully.
C:\Users\SFasihi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUKB8AF7\viewtopic[1].htm moved successfully.
C:\Users\SFasihi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OPJMHZTB\showad[1].htm moved successfully.
C:\Users\SFasihi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\container[1].htm moved successfully.
C:\Users\SFasihi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PNVUD66\DroidSans[1].woff moved successfully.
C:\Users\SFasihi\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\temp\Low\SkypeClickToCall\Logs\AutoUpdateSvc.log scheduled to be moved on reboot.
File\Folder C:\Windows\temp\hsperfdata_SFASIHI-HP$\1552 not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
========== ======= ====== AdwCleaner (S0)
# AdwCleaner v4.104 - Report created 08/12/2014 at 11:31:08
# Updated 05/12/2014 by Xplode
# Database : 2014-12-08.1 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : SFasihi - SFASIHI-HP
# Running from : C:\Users\SFasihi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YAYW02S5\adwcleaner_4.104.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\SFasihi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gagcbogmgkaogoadfcoicjdojbmkegao
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Windows\System32\roboot64.exe

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D425283-D487-4337-BAB6-AB8354A81457}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D425283-D487-4337-BAB6-AB8354A81457}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{9D425283-D487-4337-BAB6-AB8354A81457}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{9D425283-D487-4337-BAB6-AB8354A81457}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C7E885C2-9AC5-4A62-B409-49661DC00715}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C7E885C2-9AC5-4A62-B409-49661DC00715}
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\SOFTWARE\systweak

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420


-\\ Google Chrome v

[C:\Users\SFasihi\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
[C:\Users\SFasihi\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\SFasihi\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : lifbcibllhkdhoafpjfnlhfpfgnpldfl
[C:\Users\SFasihi\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : gagcbogmgkaogoadfcoicjdojbmkegao

*************************

AdwCleaner[R0].txt - [3168 octets] - [30/11/2014 16:15:25]
AdwCleaner[R1].txt - [3098 octets] - [08/12/2014 11:29:10]
AdwCleaner[S0].txt - [2835 octets] - [08/12/2014 11:31:08]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2895 octets] ##########
sfasihi
Active Member
 
Posts: 10
Joined: November 28th, 2014, 10:46 pm
Advertisement
Register to Remove

Re: SFasihi: Result from - Adclick and Powelik shf

Unread postby Gary R » December 12th, 2014, 5:30 am

Sorry only just seen this topic. Your last topic was closed because you had not replied to it within 3 days, you need to reply within 3 days of a reply from a helper, or topics in this forum will be closed.

OK, your return logs look pretty good, but we've still got a few things that need to be done.

First ....

Please download Powelikscleaner (by ESET) and save it to your desktop.

  • Double-click ESETPoweliksCleaner.exe to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
  • The tool will produce a log in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Next ....

Please run a scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on Run ESET Online Scanner
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed click on Start to start the scan.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed you will be presented with a list of found threats ....
    • Click on the List of found threats link
    • Click on Export to text file
    • Save as ESET.txt to your Desktop
  • Exit out of ESET Online Scanner.
  • Post me the contents of ESET.txt please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: SFasihi: Result from - Adclick and Powelik shf

Unread postby sfasihi » December 13th, 2014, 11:12 am

Hi. Gary R.
Attached you will find first log from Powelikescleaner.
Next step to run ESET Online scanner failed, giving message that appears from few moments,
"Add-on for this web site failed to run". Tried three time.

Please tell instruct, what is next as ESET Scanner failed.
Now I know for sure, system works relatively fine, until I go into my Picture file and open
one of my picture folder - that's when all Trojans start popping , Trojan.Poweliks.
PwerShell stop working
Systray.exec highest memory usage
start showing up. And system literary grind down to halt.

Note: Some time I am late in running your instructions - because I need to wait someone to help me.
For that I depend on my grandson. Regards SFasihi


--------------ESETPowelikesCleaner Log-----------------------
[2014.12.13 09:33:14.687] - Begin
[2014.12.13 09:33:14.687] -
[2014.12.13 09:33:14.687] - ....................................
[2014.12.13 09:33:14.690] - ..::::::::::::::::::....................
[2014.12.13 09:33:14.690] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Win32/Poweliks
[2014.12.13 09:33:14.692] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 1.0.0.1
[2014.12.13 09:33:14.712] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: Oct 15 2014
[2014.12.13 09:33:14.715] - .::EE:::::::::::::SS:.EE..........TT......
[2014.12.13 09:33:14.715] - .::EEEEEE:::SSSSSS::..EEEEEE.....TT..... Copyright (c) ESET, spol. s r.o.
[2014.12.13 09:33:14.717] - ..::::::::::::::::::.................... 1992-2013. All rights reserved.
[2014.12.13 09:33:14.717] - ....................................
[2014.12.13 09:33:14.717] -
[2014.12.13 09:33:14.717] - --------------------------------------------------------------------------------
[2014.12.13 09:33:14.717] -
[2014.12.13 09:33:14.717] - INFO: OS: 6.1.7601 SP1
[2014.12.13 09:33:14.720] - INFO: Product Type: Workstation
[2014.12.13 09:33:14.720] - INFO: WoW64: True
[2014.12.13 09:33:14.720] - INFO: Machine guid: 4E6A4571-0B8B-42A0-9056-29D1268BB9A2
[2014.12.13 09:33:14.722] -
[2014.12.13 09:33:21.026] - INFO: Scanning for system infection...
[2014.12.13 09:33:21.026] - --------------------------------------------------------------------------------
[2014.12.13 09:33:21.026] -
[2014.12.13 09:33:21.026] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.12.13 09:33:21.027] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.12.13 09:33:21.027] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.12.13 09:33:21.027] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.12.13 09:33:21.047] - INFO: Processing classes...
[2014.12.13 09:33:21.047] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}]
[2014.12.13 09:33:21.047] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}]
[2014.12.13 09:33:21.047] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{BB6410D8-F879-4184-9C5C-6A02D16AE0B3}]
[2014.12.13 09:33:21.047] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{CA1073A2-5F3F-4445-8E5E-7109BDCEDDBE}]
[2014.12.13 09:33:21.048] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{CBE9C57E-FFA9-4123-8354-AD360D6DD3CC}]
[2014.12.13 09:33:21.048] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}]
[2014.12.13 09:33:21.048] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{D5A55D2D-C59D-42C3-A5BF-4C08EEE74339}]
[2014.12.13 09:33:21.092] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.12.13 09:33:21.092] - WARNING: Found suspicous classid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.12.13 09:33:21.092] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.12.13 09:33:21.126] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.12.13 09:33:21.133] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.12.13 09:33:21.133] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.12.13 09:33:21.133] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.12.13 09:33:21.133] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.12.13 09:33:21.133] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.12.13 09:33:21.133] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.12.13 09:33:21.133] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.12.13 09:33:21.133] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2014.12.13 09:33:21.168] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.12.13 09:33:21.178] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.12.13 09:33:21.178] - INFO: Win32/Poweliks found
[2014.12.13 09:34:07.231] - INFO: process: dllhost.exe, pid 2736, parent 664
[2014.12.13 09:34:07.232] - INFO: Terminated process pid = 2736
[2014.12.13 09:34:07.232] - INFO: process: dllhost.exe, pid 4764, parent 2736
[2014.12.13 09:34:07.234] - INFO: Terminated process pid = 4764
[2014.12.13 09:34:07.236] - INFO: process: dllhost.exe, pid 10364, parent 4764
[2014.12.13 09:34:07.236] - INFO: Terminated process pid = 10364
[2014.12.13 09:34:07.237] - INFO: process: dllhost.exe, pid 8332, parent 4764
[2014.12.13 09:34:07.237] - INFO: Terminated process pid = 8332
[2014.12.13 09:34:07.237] - INFO: process: dllhost.exe, pid 8016, parent 4764
[2014.12.13 09:34:07.238] - INFO: Terminated process pid = 8016
[2014.12.13 09:34:07.238] - INFO: process: dllhost.exe, pid 7944, parent 4764
[2014.12.13 09:34:07.239] - INFO: Terminated process pid = 7944
[2014.12.13 09:34:07.239] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.12.13 09:34:07.239] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.12.13 09:34:07.239] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.12.13 09:34:07.240] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.12.13 09:34:07.240] - INFO: Processing classes...
[2014.12.13 09:34:07.240] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}]
[2014.12.13 09:34:07.240] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}]
[2014.12.13 09:34:07.240] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{BB6410D8-F879-4184-9C5C-6A02D16AE0B3}]
[2014.12.13 09:34:07.240] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{CA1073A2-5F3F-4445-8E5E-7109BDCEDDBE}]
[2014.12.13 09:34:07.240] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{CBE9C57E-FFA9-4123-8354-AD360D6DD3CC}]
[2014.12.13 09:34:07.241] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}]
[2014.12.13 09:34:07.241] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{D5A55D2D-C59D-42C3-A5BF-4C08EEE74339}]
[2014.12.13 09:34:07.241] - INFO: Processing clsid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.12.13 09:34:07.241] - INFO: Deleted classid [\Registry\User\S-1-5-21-2729681298-3993174428-2559724351-1001\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.12.13 09:34:07.241] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.12.13 09:34:07.241] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.12.13 09:34:07.242] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.12.13 09:34:07.242] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.12.13 09:34:07.242] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.12.13 09:34:07.242] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.12.13 09:34:07.242] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.12.13 09:34:07.242] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.12.13 09:34:07.243] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.12.13 09:34:07.243] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2014.12.13 09:34:07.243] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.12.13 09:34:07.243] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.12.13 09:34:07.243] - INFO: Cleaning status: 0
[2014.12.13 09:34:25.337] - End
sfasihi
Active Member
 
Posts: 10
Joined: November 28th, 2014, 10:46 pm

Re: SFasihi: Result from - Adclick and Powelik shf

Unread postby Gary R » December 13th, 2014, 12:13 pm

OK, since you can't get the e-set scanner to work, let's try a different scan and see if that will run on your computer.

Please run Microsoft Safety Scanner
  • Click Download Now (this is a large download, approx. 70Mb)
  • If you are asked about 32-bit or 64-bit, click on the type matching your Windows system.
  • If asked to Run or Save, choose Run.
  • OK the User Account Permission or the query "Do you want to run this software".
  • If you get a message saying "running this type of program could harm your computer" or similar, just ignore it and tell it to Run anyway.
  • Click the box to Accept the license agreement.
  • Click Next.
  • Click Next to run the Scan.
  • Click the Quick Scan button. (... also Full Scan option)
  • Click Next
    • (If it finds nothing, it will just Exit. It still creates a report.)
    • If it has found anything, check the box titled "Help Remove potentially unwanted software"
      • Click Next (the Dialog label will become "Cleaning your computer").
      • After this operation completes, click Finish.
      • When removals are complete, it will report through a link, "View detailed results of the scan"
      • Clicking the link will popup a report in Notepad.
      • Please post the contents of the file in your reply.
      • The file is also saved in C:\Windows\debug\msert.log
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: SFasihi: Result from - Adclick and Powelik shf

Unread postby sfasihi » December 14th, 2014, 4:55 pm

Hello Gary,

I ran the scan from your latest instructions.
Below you will find the results.

Regards, SFasihi

---------------------------------------------------------------------------------------

Microsoft Safety Scanner v1.0, (build 1.189.2149.0)
Started On Sun Dec 14 14:53:52 2014
->Scan ERROR: resource process://pid:14428,ProcessStart:130630602626280795 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:16044,ProcessStart:130630603477670276 (code 0x0000012B (299))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))

Results Summary:
----------------
No infection found.
Microsoft Safety Scanner Finished On Sun Dec 14 15:20:39 2014


Return code: 0 (0x0)
sfasihi
Active Member
 
Posts: 10
Joined: November 28th, 2014, 10:46 pm

Re: SFasihi: Result from - Adclick and Powelik shf

Unread postby Gary R » December 15th, 2014, 2:11 am

How is your computer behaving now ?
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: SFasihi: Result from - Adclick and Powelik shf

Unread postby sfasihi » December 15th, 2014, 10:12 pm

Hi. Gary R.
Whatever you did it is working great. I just gone in My picture Folder. Opened couple picture files. No Trojan guys showed up. I really appreciate it. Thank you very much. I have a question - in future if I have a problem can I run these cleaning programs or need to contact you?
Once again thank you very much.
Regards
SFasihi
sfasihi
Active Member
 
Posts: 10
Joined: November 28th, 2014, 10:46 pm

Re: SFasihi: Result from - Adclick and Powelik shf

Unread postby Gary R » December 16th, 2014, 1:58 am

OK, it looks like we've managed to remove your infection.

What we need to do now is to do a little tidying round and remove the tools we've been using to clean your machine.

  • Please download delfix and save it to your desktop.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Check all the boxes then click on Run.
  • Once it has finished, a notepad file named DelFix.txt will open. Post the contents of this notepad in your next reply.
  • The log can also be located at the root of the system drive, C:\DelFix.txt.

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

In answer to your question, if you have any further problems then please get back to us, don't try to remove the infection on your own, that often causes more problems than it resolves.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: SFasihi: Result from - Adclick and Powelik shf

Unread postby Gary R » December 17th, 2014, 6:40 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware