Jump to content

Flye

Members
  • Posts

    5
  • Joined

  • Last visited

Reputation

0 Neutral
  1. You asked how the computer was behaving. It's been behaving well for about 2-1/2 weeks. To summarize, my neighbor's computer was originally nearly unusable because of all the intrusive ads that were popping up and the repeated browser redirections. I tried Spybot Search and Destroy (a favorite of mine from several years ago), but it found nothing. The intrusive popups and browser redirections continued. I ran the free Avast scanner. It found and eliminated: MovieMode.exe MovieMode64.exe netengine.exe Unfortunately, that didn't improve the computer's behavior. It still had popups and browser redirections. I then ran the free Malwarebytes scanner. The first run was a Quick Scan with rootkit detections not enabled. It found and eliminated: PUP.Optional.DynConIE.A PUP.Optional.WeCare.A PUP.Optional.DefaultTab.A PUP.Optional.MultiIE.A PUP.Optional.WeCare While that scan was running, I realized that I should have enabled rootkit detection, as well. After the run finished, I did, and then ran a Threat Scan (the long one). It found and eliminated: Trojan.Poweliks Trojan.Poweliks.B After these items were removed, the computer began to run pretty reasonably. No popups, no browser redirections. Because it all sounded too easy, I ran the Farbar tool to see if there were still problems. There were: FRST.txt ======= CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION Addition.txt ========= Download Updater (AOL Inc.) (HKLM-x32\...\SoftwareUpdUtility) (Version: - ) <==== ATTENTION Task: {64459623-1FB8-422C-BCAC-7647F95FDA99} - System32\Tasks\DTReg => \DefaultTab\DefaultTab\DTReg.exe <==== ATTENTION Task: {A858916A-AE2D-42A8-AEA1-ABE4F521D0F4} - System32\Tasks\DTChk => C:\Users\Public\Util\DTChk.exe <==== ATTENTION (I didn't know what to look for other than the "<==== ATTENTION" flags.) When I saw the flagged items, I created a posting and asked for help. You told me to run AdwCleaner and then the Farbar tool again. AdwCleaner deleted a pile of stuff, including the "Download Updater", "DTReg.exe", and "DTChk.exe" executables that had previously been identified by Farbar. After running AdwCleaner, the items listed above that were shown in "Addition.txt" were eliminated. The item listed in "FRST.txt" is still there: FRST.txt ======= CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION From what I've seen elsewhere, Chrome policy restrictions appear to be linked to browser redirections. Is there a tool that will eliminate this one? Also, while peering at the latest "Addition.txt", I found the following item that seems highly suspicious: AlternateDataStreams: C:\ProgramData\Temp:D287FACF I know Alterate Data Streams (ADSs) can hold large amounts of data and are sometimes used by malware. Thanks to the miracle of Google, I found the following in another Malwarebytes posting as part of a Farbar fixlist execution: C:\ProgramData\TEMP => ":D287FACF" ADS removed successfully. The above line is found right at the end of the following posting: https://forums.malwarebytes.org/index.php?/user/138860-yosoy4ever/?tab=posts This same ADS also features in a blizzard of other malware removal postings on a veritable plethora of anti-malware (or fake anti-malware) websites. I'd really like to get rid of it. In sum, I'm not convinced the computer is clean, even though it hasn't show signs of infection since "Trojan.Poweliks" and "Trojan.Poweliks.B" were removed about 2-1/2 weeks ago. Despite the computer appeared to be working OK, AdwCleaner found and removed quite a mound of adware trash when I ran it. And there still seem to be a few malware objects remaining (probably more than my limited experience allows me to see). Can we at least get rid of the policy restriction and the ADS stream? That would make me feel more confident. Thanx! Flye
  2. Thanks for the help! I ran AdwCleaner and Farbar. AdwCleaner found a bunch of stuff. My neighbor is an AOL customer, so I unchecked the AOL toolbar entries. Everything else was removed. The Farbar report still contains one "<====Attention" flag. The reports are attached. AdwCleanerS0.txtFRST.txtAddition.txt
  3. The original detection logs were shown in my first post. These are current results from running Malwarebytes: ====================================================================== Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 4/12/2015 Scan Time: 4:38:57 PM Logfile: Administrator: Yes Version: 2.01.4.1018 Malware Database: v2015.04.12.04 Rootkit Database: v2015.03.31.01 License: Trial Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Brigitte Scan Type: Hyper Scan Result: Completed Objects Scanned: 284336 Time Elapsed: 3 min, 17 sec Memory: Enabled Startup: Enabled Filesystem: Disabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) ====================================================================== I have attached the Farbar result files of today's run. They still have some "<=====Attention" flags in them. FRST.txtAddition.txt Is the computer still infected, or has it been cleaned? Thanx! Flye
  4. My neighbor's computer became infested with adware that displayed ads blocking access to the content she wanted to read, click on, etc. She normally used Internet Explorer. She had Chrome installed, but it displayed similar ads. I installed Firefox with AdBlock and NoScript add-ins, and it was better. There were still ads displayed, but it was more usable. With Firefox providing some protection when browsing, I downloaded the free version of Spybot Search & Destroy, which I had used years ago. Unfortunately, it found nothing at all. I then tried Avast's free version, which was incredibly slow to install. It found and removed three things it thought were bad: "MovieMode.exe", "MovieMode64.exe", and "netengine.exe". The ads were still being displayed. I downloaded the Malwarebytes trial version and ran a Quick Scan -- it found lots of things: PUP.Optional.DynConIE.A PUP.Optional.WeCare.A PUP.Optional.DefaultTab.A PUP.Optional.MultiIE.A PUP.Optional.WeCare I then ran a full scan with rootkit detection turned on, and it found more: Trojan.Poweliks Trojan.Poweliks.B Since then, there haven't been any detections. Because of the presence of the Trojan, I ran the Farbar program. It showed some "Attention" flags and a program to remove. Although there are no symptoms at the moment, I'm concerned there might be something else lurking in the system. This is the first Malwarebytes log: ====================================================================== Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 3/29/2015 Scan Time: 5:51:16 PM Logfile: Administrator: Yes Version: 2.01.4.1018 Malware Database: v2015.03.30.01 Rootkit Database: v2015.03.26.01 License: Trial Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Brigitte Scan Type: Threat Scan Result: Completed Objects Scanned: 362444 Time Elapsed: 12 min, 3 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 14 PUP.Optional.DynConIE.A, HKLM\SOFTWARE\CLASSES\APPID\{384997EE-E3BE-49C4-9ECA-C62B7C08128A}, Quarantined, [a6034605fe8c10261c38052ccb3805fb], PUP.Optional.DynConIE.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{384997EE-E3BE-49C4-9ECA-C62B7C08128A}, Quarantined, [a6034605fe8c10261c38052ccb3805fb], PUP.Optional.DynConIE.A, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{384997EE-E3BE-49C4-9ECA-C62B7C08128A}, Quarantined, [a6034605fe8c10261c38052ccb3805fb], PUP.Optional.DynConIE.A, HKLM\SOFTWARE\CLASSES\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}, Quarantined, [05a43d0e4f3bad89292c78b99172f808], PUP.Optional.DynConIE.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}, Quarantined, [05a43d0e4f3bad89292c78b99172f808], PUP.Optional.DynConIE.A, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}, Quarantined, [05a43d0e4f3bad89292c78b99172f808], PUP.Optional.WeCare.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}, Quarantined, [ecbd59f27911e55156a23034c1423ac6], PUP.Optional.WeCare.A, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}, Quarantined, [ecbd59f27911e55156a23034c1423ac6], PUP.Optional.DefaultTab.A, HKU\S-1-5-21-4191910321-2971790363-2571050912-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}, Quarantined, [f5b4b8930981e155bd2589a95da653ad], PUP.Optional.DynConIE.A, HKLM\SOFTWARE\CLASSES\APPID\DynConIE.DLL, Quarantined, [713864e7c3c73006131c4dbc1ce8e21e], PUP.Optional.DynConIE.A, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\DynConIE.DLL, Quarantined, [e3c6113a3159ed499a958c7dd3313fc1], PUP.Optional.DynConIE.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\DynConIE.DLL, Quarantined, [00a9014aa3e744f25dd26e9ba064ef11], PUP.Optional.MultiIE.A, HKU\S-1-5-18\SOFTWARE\APPDATALOW\SOFTWARE\DynConIE, Quarantined, [2e7b5dee99f1fe383f2fd66646bfca36], PUP.Optional.WeCare, HKU\S-1-5-21-4191910321-2971790363-2571050912-1000\SOFTWARE\wecarereminder, Quarantined, [cedbef5c008a9a9c1998df016b98ec14], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 2 PUP.Optional.DefaultTab.A, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\defaulttab, Quarantined, [eebb86c52b5fee48c8cde9bc27dc3bc5], PUP.Optional.DefaultTab.A, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\defaulttab\defaulttab, Quarantined, [eebb86c52b5fee48c8cde9bc27dc3bc5], Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) ====================================================================== Here is the second Malwarebyte log: ====================================================================== Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 3/29/2015 Scan Time: 6:26:26 PM Logfile: Administrator: Yes Version: 2.01.4.1018 Malware Database: v2015.03.30.01 Rootkit Database: v2015.03.26.01 License: Trial Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Brigitte Scan Type: Threat Scan Result: Completed Objects Scanned: 387755 Time Elapsed: 53 min, 10 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 2 Trojan.Poweliks.B, HKU\S-1-5-21-4191910321-2971790363-2571050912-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}, Delete-on-Reboot, [0e9b7ad1672358dedd9038ca946c7789], Trojan.Poweliks, HKU\S-1-5-21-4191910321-2971790363-2571050912-1000_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\LOCALSERVER32\ ^ , Quarantined, [e8c1b299bdcdd660a1cfeb17e51bd42c], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) ====================================================================== Because I was uncertain whether there might be something lurking, I ran the Farbar tool. I have attached the log file and addition file from the first run of the tool. There are "<===== Attention" flags in the Farbar results that leave me wondering if there is still adware or malware present on the computer. This posting is getting fairly long, so I'm going to attach the files from today's runs to another posting. Flye FRST.txt Addition.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.