Sign in to follow this  
rxwatson

Software says infection is successfully deleted still there on scan

Recommended Posts

I do a full scan and get back a report that finds Trojan viruses on computer that will be deleted on reboot. I reboot the computer and receive the message that the viruses were successfully deleted. I do another full scan and get a report that the viruses are there but will be deleted on reboot and the scenario starts all over again. How can I disinfect and remove these Trojan viruses. I have seen both Trojan Poweliks.Gen.1 twice at the same time and Trojan Poweliks.Gen.2 once with Windows System32 regsvr. Trojan Gen.2 has disappered. Both Trojan Poweliks Gen 1 can not be deleted.

 

I have also attached logs that were attached to my email [Request ID ##468513##] Please advise if you have any ideas I might try to resolve this problem.

logs.zip

Share this post


Link to post
Share on other sites

Hi rxwatson,

 

Sorry, I have a problem with opening the attachment and I have no access to any emails you have sent to Lavasoft support team. Please follow the instructions in the topic Read This Before You Post! and upload the log files one by one.

Share this post


Link to post
Share on other sites

I have too many logs to send in one reply. Here are the initial attachments, a copy of the emails and what logs I could fit in. Ill have to send additional logs in another reply

Addition.txt

FRST.txt

Edited by CeciliaB
Logs with private information removed.

Share this post


Link to post
Share on other sites

Thank you for the logs!
Since at least the email attachment contains private information (your email address can be picked up by spammers), I have hidden the last two posts and deleted most of the logs from the one before those.

1. Having two antivirus programs with real-time protection can cause conflicts and strange problems, including difficulties removing malware. I recommend that you either uninstall McAfee or uninstall Ad-Aware and, after a restart of the computer, install it again in compatible mode and do not activate its real-time protection. If you already have uninstalled McAfee, its uninstallation failed and you need to use MCPR: https://service.mcafee.com/FAQDocument.aspx?id=TS101331

2. Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [**yycq<*>] => "C:\Windows\system32\mshta.exe" javascript:xa3uPRY3w="LRUvoG";Sb23=new%20ActiveXObject("WScript.Shell");P4VYE="3kcO4dX";IIdd67=Sb23.RegRead("HKLM\\software\\tusf\\qqjz");U8cwmKBJ="1A";eval(IIdd67);xUT (the data entry has 11 more characters). <===== ATTENTION (Value Name with invalid characters)
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\Run: [**yycq<*>] => "C:\Windows\system32\mshta.exe" javascript:iodk7Zd="pH";N0G=new%20ActiveXObject("WScript.Shell");sll0jk6V="v1pUr8";n92YYW=N0G.RegRead("HKCU\\software\\tusf\\qqjz");RVRiGBL9="cJwOgj4";eval(n92YYW);z2y7 (the data entry has 11 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\Run: [**xaovjuup<*>] => "C:\Users\Roxanne\AppData\Local\aca060\9dbc1b.lnk" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\Run: [**fatcxwjhf<*>] => "C:\Users\Roxanne\AppData\Local\e352a3\4669a2.lnk" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\MountPoints2: {90359ed1-09a0-11de-88a1-806e6f6e6963} - E:\setup.exe
BHO: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> No File
Toolbar: HKU\S-1-5-21-1191959822-635995572-3245679226-1004 -> No Name - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} -  No File
Toolbar: HKU\S-1-5-21-1191959822-635995572-3245679226-1004 -> No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
FF Keyword.URL: hxxps://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=531140&p=
FF user.js: detected! => C:\Users\Roxanne\AppData\Roaming\Mozilla\Firefox\Profiles\9u6nzhkj.default\user.js [2016-08-06]
SearchScopes: HKU\S-1-5-21-1191959822-635995572-3245679226-1004 -> {BAEB43E1-D0AA-40E5-9988-6620B0D1E678} URL = hxxps://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=531140&p={searchTerms}
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.180.7) - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll => No File
CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll => No File
CHR Plugin: (RealNetworks(tm) RealPlayer Chrome Background Extension Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll => No File
CHR Plugin: (RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll => No File
CHR Plugin: (Chrome NaCl) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
CHR Plugin: (downloadUpdater) - C:\Program Files\Mozilla Firefox\plugins\npdnu.dll => No File
CHR Plugin: (downloadUpdater2) - C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll => No File
CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll => No File
S2 SessionLauncher; no ImagePath
S0 Lbd; system32\DRIVERS\Lbd.sys [X]
S2 MCSTRM; no ImagePath
U3 mfeavfk01; no ImagePath
Task: {0DEC8C76-95E6-429A-860F-39945A40E236} - \{697033CB-D98F-4F82-BECD-40D174712EEB} -> No File <==== ATTENTION
Task: {1C32D842-1FEC-4AF2-B53E-93C7BF2C2C36} - System32\Tasks\DistromaticUpdater-periodic => C:\Program Files\Amazon Browser Settings\updater.exe [2016-08-06] (Distromatic) <==== ATTENTION
Task: {21F17504-CD85-4DDC-B682-1E62E98E3EF6} - System32\Tasks\DistromaticUpdater-logon => C:\Program Files\Amazon Browser Settings\updater.exe [2016-08-06] (Distromatic) <==== ATTENTION
Task: {74C453CB-BDFD-4B36-B567-9BA476DF9245} - \{8324A8E3-A69F-48EE-8F04-27DED3B692F2} -> No File <==== ATTENTION
Task: {9B8355B4-3096-4276-B998-80FD8D5F5511} - System32\Tasks\DistromaticSearchProtect-logon => C:\Program Files\Amazon Browser Settings\AmznSearchProtect.exe [2016-08-06] (Distromatic) <==== ATTENTION
Task: {C884FB2F-7787-4F29-BB71-B265BECC22FD} - System32\Tasks\DistromaticSearchProtect-hourly => C:\Program Files\Amazon Browser Settings\AmznSearchProtect.exe [2016-08-06] (Distromatic) <==== ATTENTION
Task: {C92983BD-BACC-4AAC-B0D6-6B41657D33B7} - \{6B526980-99E2-4EAC-8EC9-6D7E937B3A59} -> No File <==== ATTENTION
Task: {F97C2168-DAD0-4E72-BE8E-A993CF54DE2C} - \{B3EAF79A-90C9-4E46-8530-7F1D36C56A95} -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:430C6D84 [127]
AlternateDataStreams: C:\ProgramData\TEMP:A8ADE5D8 [109]
AlternateDataStreams: C:\ProgramData\TEMP:A9662AE0 [528]
AlternateDataStreams: C:\ProgramData\TEMP:CD060F93 [212]
AlternateDataStreams: C:\ProgramData\TEMP:DFC5A2B2 [109]
IE trusted site: HKU\.DEFAULT\...\localhost -> localhost
IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
IE trusted site: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\internet -> internet
IE trusted site: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\mcafee.com -> hxxp://mcafee.com
IE trusted site: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\mcafee.com -> hxxps://mcafee.com
IE trusted site: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\secunia.com -> hxxps://secunia.com
IE trusted site: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\webcompanion.com -> hxxp://webcompanion.com
Folder: C:\Users\Roxanne\AppData\Roaming\aignes
Folder: C:\Users\Roxanne\AppData\Roaming\a49916
Folder: C:\Users\Roxanne\AppData\Local\aca060
Reboot:

and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

 

 

3. Please, save AdwCleaner by Xplode on the desktop: https://toolslib.net/downloads/viewdownload/1-adwcleaner/

Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Log file button.
A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[s1].txt.

 

4. Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Deselect Remove found threats (important since false positives occur).

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

Share this post


Link to post
Share on other sites

I removed McAfee Security Center as it never found anything on any of its scans. Now I only have Ad-Aware installed. I did another full scan to see if the viruses would delete. I still have two Trojan.Poweliks.Gen.1 that will not delete on reboot and now have C\windows\system32\regsvr32.exe infected with Trojan.Poweliks.Gen.2 which would not disinfect. I can attach logs from that scan if you need them but the service log is again too big to upload.

 

Below is the contents of fixlog.txt and I have attached a copy of the file

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 27-08-2016
Ran by Roxanne (27-08-2016 20:03:34) Run:2
Running from C:\Users\Roxanne\Desktop
Loaded Profiles: IUSR_NMPR & Roxanne (Available Profiles: IUSR_NMPR & Roxanne)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [**yycq<*>] => "C:\Windows\system32\mshta.exe" javascript:xa3uPRY3w="LRUvoG";Sb23=new%20ActiveXObject("WScript.Shell");P4VYE="3kcO4dX";IIdd67=Sb23.RegRead("HKLM\\software\\tusf\\qqjz");U8cwmKBJ="1A";eval(IIdd67);xUT (the data entry has 11 more characters). <===== ATTENTION (Value Name with invalid characters)
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\Run: [**yycq<*>] => "C:\Windows\system32\mshta.exe" javascript:iodk7Zd="pH";N0G=new%20ActiveXObject("WScript.Shell");sll0jk6V="v1pUr8";n92YYW=N0G.RegRead("HKCU\\software\\tusf\\qqjz");RVRiGBL9="cJwOgj4";eval(n92YYW);z2y7 (the data entry has 11 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\Run: [**xaovjuup<*>] => "C:\Users\Roxanne\AppData\Local\aca060\9dbc1b.lnk" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\Run: [**fatcxwjhf<*>] => "C:\Users\Roxanne\AppData\Local\e352a3\4669a2.lnk" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\MountPoints2: {90359ed1-09a0-11de-88a1-806e6f6e6963} - E:\setup.exe
BHO: No Name -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> No File
Toolbar: HKU\S-1-5-21-1191959822-635995572-3245679226-1004 -> No Name - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - No File
Toolbar: HKU\S-1-5-21-1191959822-635995572-3245679226-1004 -> No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
FF Keyword.URL: hxxps://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=531140&p=
FF user.js: detected! => C:\Users\Roxanne\AppData\Roaming\Mozilla\Firefox\Profiles\9u6nzhkj.default\user.js [2016-08-06]
SearchScopes: HKU\S-1-5-21-1191959822-635995572-3245679226-1004 -> {BAEB43E1-D0AA-40E5-9988-6620B0D1E678} URL = hxxps://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=531140&p={searchTerms}
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.180.7) - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll => No File
CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll => No File
CHR Plugin: (RealNetworks RealPlayer Chrome Background Extension Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll => No File
CHR Plugin: (RealPlayer HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll => No File
CHR Plugin: (Chrome NaCl) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
CHR Plugin: (downloadUpdater) - C:\Program Files\Mozilla Firefox\plugins\npdnu.dll => No File
CHR Plugin: (downloadUpdater2) - C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll => No File
CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll => No File
S2 SessionLauncher; no ImagePath
S0 Lbd; system32\DRIVERS\Lbd.sys [X]
S2 MCSTRM; no ImagePath
U3 mfeavfk01; no ImagePath
Task: {0DEC8C76-95E6-429A-860F-39945A40E236} - \{697033CB-D98F-4F82-BECD-40D174712EEB} -> No File <==== ATTENTION
Task: {1C32D842-1FEC-4AF2-B53E-93C7BF2C2C36} - System32\Tasks\DistromaticUpdater-periodic => C:\Program Files\Amazon Browser Settings\updater.exe [2016-08-06] (Distromatic) <==== ATTENTION
Task: {21F17504-CD85-4DDC-B682-1E62E98E3EF6} - System32\Tasks\DistromaticUpdater-logon => C:\Program Files\Amazon Browser Settings\updater.exe [2016-08-06] (Distromatic) <==== ATTENTION
Task: {74C453CB-BDFD-4B36-B567-9BA476DF9245} - \{8324A8E3-A69F-48EE-8F04-27DED3B692F2} -> No File <==== ATTENTION
Task: {9B8355B4-3096-4276-B998-80FD8D5F5511} - System32\Tasks\DistromaticSearchProtect-logon => C:\Program Files\Amazon Browser Settings\AmznSearchProtect.exe [2016-08-06] (Distromatic) <==== ATTENTION
Task: {C884FB2F-7787-4F29-BB71-B265BECC22FD} - System32\Tasks\DistromaticSearchProtect-hourly => C:\Program Files\Amazon Browser Settings\AmznSearchProtect.exe [2016-08-06] (Distromatic) <==== ATTENTION
Task: {C92983BD-BACC-4AAC-B0D6-6B41657D33B7} - \{6B526980-99E2-4EAC-8EC9-6D7E937B3A59} -> No File <==== ATTENTION
Task: {F97C2168-DAD0-4E72-BE8E-A993CF54DE2C} - \{B3EAF79A-90C9-4E46-8530-7F1D36C56A95} -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:430C6D84 [127]
AlternateDataStreams: C:\ProgramData\TEMP:A8ADE5D8 [109]
AlternateDataStreams: C:\ProgramData\TEMP:A9662AE0 [528]
AlternateDataStreams: C:\ProgramData\TEMP:CD060F93 [212]
AlternateDataStreams: C:\ProgramData\TEMP:DFC5A2B2 [109]
IE trusted site: HKU\.DEFAULT\...\localhost -> localhost
IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
IE trusted site: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\internet -> internet
IE trusted site: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\mcafee.com -> hxxp://mcafee.com
IE trusted site: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\mcafee.com -> hxxps://mcafee.com
IE trusted site: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\secunia.com -> hxxps://secunia.com
IE trusted site: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\...\webcompanion.com -> hxxp://webcompanion.com
Folder: C:\Users\Roxanne\AppData\Roaming\aignes
Folder: C:\Users\Roxanne\AppData\Roaming\a49916
Folder: C:\Users\Roxanne\AppData\Local\aca060
Reboot:
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\**yycq<*> => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully.
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\Run\\**yycq<*> => value removed successfully.
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\Run\\**xaovjuup<*> => value removed successfully.
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\Run\\**fatcxwjhf<*> => value not found.
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoLowDiskSpaceChecks => value removed successfully.
"HKU\S-1-5-21-1191959822-635995572-3245679226-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{90359ed1-09a0-11de-88a1-806e6f6e6963}" => key removed successfully.
HKCR\CLSID\{90359ed1-09a0-11de-88a1-806e6f6e6963} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}" => key removed successfully.
HKCR\CLSID\{27B4851A-3207-45A2-B947-BE8AFE6163AB} => key not found.
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{F2E259E8-0FC8-438C-A6E0-342DD80FA53E} => value removed successfully.
HKCR\CLSID\{F2E259E8-0FC8-438C-A6E0-342DD80FA53E} => key not found.
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} => value removed successfully.
HKCR\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825} => key not found.
Firefox "Keyword.URL" removed successfully.
C:\Users\Roxanne\AppData\Roaming\Mozilla\Firefox\Profiles\9u6nzhkj.default\user.js => moved successfully
"HKU\S-1-5-21-1191959822-635995572-3245679226-1004\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BAEB43E1-D0AA-40E5-9988-6620B0D1E678}" => key removed successfully.
HKCR\CLSID\{BAEB43E1-D0AA-40E5-9988-6620B0D1E678} => key not found.
C:\Program Files\Google\Chrome\Application\49.0.2623.112\gcswf32.dll => not found.
C:\Windows\system32\Macromed\Flash\NPSWF32.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll => not found.
C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => not found.
c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll => not found.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll => not found.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll => not found.
C:\Program Files\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => not found.
C:\Program Files\Google\Chrome\Application\49.0.2623.112\pdf.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npdnu.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll => not found.
SessionLauncher => service removed successfully.
Lbd => service removed successfully.
MCSTRM => service removed successfully.
mfeavfk01 => service not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0DEC8C76-95E6-429A-860F-39945A40E236}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0DEC8C76-95E6-429A-860F-39945A40E236}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{697033CB-D98F-4F82-BECD-40D174712EEB}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1C32D842-1FEC-4AF2-B53E-93C7BF2C2C36}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1C32D842-1FEC-4AF2-B53E-93C7BF2C2C36}" => key removed successfully.
C:\Windows\System32\Tasks\DistromaticUpdater-periodic => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DistromaticUpdater-periodic" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{21F17504-CD85-4DDC-B682-1E62E98E3EF6}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{21F17504-CD85-4DDC-B682-1E62E98E3EF6}" => key removed successfully.
C:\Windows\System32\Tasks\DistromaticUpdater-logon => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DistromaticUpdater-logon" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{74C453CB-BDFD-4B36-B567-9BA476DF9245}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{74C453CB-BDFD-4B36-B567-9BA476DF9245}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{8324A8E3-A69F-48EE-8F04-27DED3B692F2}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{9B8355B4-3096-4276-B998-80FD8D5F5511}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9B8355B4-3096-4276-B998-80FD8D5F5511}" => key removed successfully.
C:\Windows\System32\Tasks\DistromaticSearchProtect-logon => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DistromaticSearchProtect-logon" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C884FB2F-7787-4F29-BB71-B265BECC22FD} => key not found.
C:\Windows\System32\Tasks\DistromaticSearchProtect-hourly => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DistromaticSearchProtect-hourly" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C92983BD-BACC-4AAC-B0D6-6B41657D33B7}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C92983BD-BACC-4AAC-B0D6-6B41657D33B7}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{6B526980-99E2-4EAC-8EC9-6D7E937B3A59}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F97C2168-DAD0-4E72-BE8E-A993CF54DE2C}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F97C2168-DAD0-4E72-BE8E-A993CF54DE2C}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{B3EAF79A-90C9-4E46-8530-7F1D36C56A95}" => key removed successfully.
C:\ProgramData\TEMP => ":430C6D84" ADS removed successfully..
C:\ProgramData\TEMP => ":A8ADE5D8" ADS removed successfully..
C:\ProgramData\TEMP => ":A9662AE0" ADS removed successfully..
C:\ProgramData\TEMP => ":CD060F93" ADS removed successfully..
C:\ProgramData\TEMP => ":DFC5A2B2" ADS removed successfully..
"HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost" => key removed successfully.
"HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com" => key removed successfully.
"HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet" => key removed successfully.
"HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost" => key removed successfully.
"HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com" => key removed successfully.
HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com => key not found.
"HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\secunia.com" => key removed successfully.
"HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com" => key removed successfully.

========================= Folder: C:\Users\Roxanne\AppData\Roaming\aignes ========================

2016-08-06 20:18 - 2016-08-06 20:18 - 0000000 ____D () C:\Users\Roxanne\AppData\Roaming\aignes\AM-DeadLink
2016-08-06 20:18 - 2016-08-16 17:57 - 0000797 _____ () C:\Users\Roxanne\AppData\Roaming\aignes\AM-DeadLink\deadlink.ini
2016-08-06 20:18 - 2016-08-16 17:56 - 0000000 ____D () C:\Users\Roxanne\AppData\Roaming\aignes\AM-DeadLink\data
2016-08-06 20:18 - 2016-08-16 17:57 - 0064854 _____ () C:\Users\Roxanne\AppData\Roaming\aignes\AM-DeadLink\data\Internet Explorer.dat
2016-08-16 17:56 - 2016-08-16 17:56 - 0000000 _____ () C:\Users\Roxanne\AppData\Roaming\aignes\AM-DeadLink\data\Mozilla.dat

====== End of Folder: ======


========================= Folder: C:\Users\Roxanne\AppData\Roaming\a49916 ========================


====== End of Folder: ======


========================= Folder: C:\Users\Roxanne\AppData\Local\aca060 ========================


====== End of Folder: ======



The system needed a reboot.

==== End of Fixlog 20:04:07 ====

 

 

Below is a copy of the AdwCleaner Logfile and I have attached a copy of the file

 

 

 

# AdwCleaner v6.010 - Logfile created 27/08/2016 at 20:22:16
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-08-27.1 [server]
# Operating System : Windows Vista Home Premium Service Pack 2 (X86)
# Username : Roxanne - HOME-PC
# Running from : C:\Users\Roxanne\Desktop\AdwCleaner.exe
# Mode: Scan
# Support : https://toolslib.net/forum



***** [ Services ] *****

Service Found: YahooAUService
Service Found: swdumon


***** [ Folders ] *****

Folder Found: C:\Users\Roxanne\AppData\Local\Amazon Browser Settings
Folder Found: C:\Users\Roxanne\AppData\Local\slimware utilities inc
Folder Found: C:\Users\Roxanne\AppData\Roaming\Speedbit
Folder Found: C:\Users\Roxanne\Favorites\Coupons
Folder Found: C:\Users\Roxanne\AppData\Roaming\Mozilla\Firefox\Profiles\9u6nzhkj.default\StumbleUpon
Folder Found: C:\ProgramData\Speedbit
Folder Found: C:\ProgramData\tencent
Folder Found: C:\ProgramData\Viewpoint
Folder Found: C:\ProgramData\lavasoft\web companion
Folder Found: C:\ProgramData\Tencent
Folder Found: C:\ProgramData\Application Data\Speedbit
Folder Found: C:\ProgramData\Application Data\tencent
Folder Found: C:\ProgramData\Application Data\Viewpoint
Folder Found: C:\ProgramData\Application Data\lavasoft\web companion
Folder Found: C:\ProgramData\Application Data\Tencent
Folder Found: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FLV Player
Folder Found: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpeedOptimizer
Folder Found: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pogo Games
Folder Found: C:\Users\Public\Documents\Downloaded Installers
Folder Found: C:\Program Files\Amazon Browser Settings
Folder Found: C:\Program Files\DAP
Folder Found: C:\Program Files\FLV Player
Folder Found: C:\Program Files\SpeedOptimizer
Folder Found: C:\Program Files\tencent
Folder Found: C:\Program Files\Viewpoint
Folder Found: C:\Program Files\Tencent
Folder Found: C:\Program Files\Common Files\Software Update Utility
Folder Found: C:\Users\Roxanne\AppData\Roaming\Mozilla\Firefox\Profiles\9u6nzhkj.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}


***** [ Files ] *****

File Found: C:\Users\Roxanne\AppData\Local\Microsoft\Internet Explorer\DOMStore\JB0A0IX4\internetspeedtracker.dl.myway[1].xml
File Found: C:\Users\Roxanne\AppData\Local\Microsoft\Internet Explorer\DOMStore\4UQ34PHN\allin1convert.dl.myway[1].xml
File Found: C:\Users\Roxanne\AppData\Local\Microsoft\Internet Explorer\DOMStore\4UQ34PHN\fromdoctopdf.dl.myway[1].xml
File Found: C:\Users\Roxanne\AppData\Local\Microsoft\Internet Explorer\DOMStore\4UQ34PHN\www.citysearch[1].xml
File Found: C:\Users\Roxanne\AppData\Local\Microsoft\Internet Explorer\DOMStore\4UQ34PHN\www.zwinky[1].xml
File Found: C:\Windows\system32\lavasofttcpservice.dll
File Found: C:\Windows\system32\LavasoftTcpServiceOff.ini
File Found: C:\Windows\system32\drivers\swdumon.sys
File Found: C:\Windows\system32\drivers\SWDUMon.sys
File Found: C:\Users\Roxanne\AppData\Roaming\Mozilla\Firefox\Profiles\9u6nzhkj.default\extensions\[email protected]
File Found: C:\Users\Roxanne\AppData\Roaming\Mozilla\Firefox\Profiles\9u6nzhkj.default\searchplugins\bing-lavasoft.xml


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\citysearch.com
Key Found: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\myway.com
Key Found: HKLM\SOFTWARE\Classes\AniGIFCtrl.AniGIF
Key Found: HKLM\SOFTWARE\Classes\AniGIFPpg.AniGIFPpg
Key Found: HKLM\SOFTWARE\Classes\AniGIFPpg.AniGIFPpg.1
Key Found: HKLM\SOFTWARE\Classes\AniGIFPpg2.AniGIFPpg2
Key Found: HKLM\SOFTWARE\Classes\AniGIFPpg2.AniGIFPpg2.1
Key Found: HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found: HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found: HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found: HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found: HKLM\SOFTWARE\Classes\dnUpdate
Key Found: HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Found: HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Found: HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Found: HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Found: HKLM\SOFTWARE\Classes\IncrediSpooler.DeltaSync
Key Found: HKLM\SOFTWARE\Classes\IncrediSpooler.DeltaSync.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataContainer
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataContainer.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataController
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataController.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTable
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTable.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableFields
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableFields.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableHolder
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableHolder.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.LSPLogic
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.LSPLogic.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.ReadOnlyManager
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.ReadOnlyManager.1
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.WFPController
Key Found: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.WFPController.1
Key Found: HKLM\SOFTWARE\Classes\PPSShapeCollection.PS10ArrowTool
Key Found: HKLM\SOFTWARE\Classes\PPSShapeCollection.PS10ArrowTool.1
Key Found: HKLM\SOFTWARE\Classes\protector_dll.Protector
Key Found: HKLM\SOFTWARE\Classes\protector_dll.Protector.1
Key Found: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
Key Found: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
Key Found: HKLM\SOFTWARE\Classes\PSActivityPanes.PSTextPane
Key Found: HKLM\SOFTWARE\Classes\PSActivityPanes.PSTextPane.1
Key Found: HKLM\SOFTWARE\Classes\Sample.BrowserHandler
Key Found: HKLM\SOFTWARE\Classes\Sample.BrowserHandler.1
Key Found: HKLM\SOFTWARE\Classes\Sample.YTBPartnerSample
Key Found: HKLM\SOFTWARE\Classes\Sample.YTBPartnerSample.1
Key Found: HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Found: HKLM\SOFTWARE\Classes\AppID\{7375D127-3955-4654-8E7D-1949A7A9C902}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{CB31FF8F-BF80-4D2B-ADBE-12C6F5347890}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}
Key Found: HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Found: HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Found: HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Found: HKLM\SOFTWARE\Classes\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}
Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1000\Software\SpeedBit
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\distromatic
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\IM
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\ImInstaller
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\SlimWare Utilities Inc
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\SpeedBit
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Yahoo\Companion
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Yahoo\YFriendsBar
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\YahooPartnerToolbar
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\AppDataLow\Software\adawarebp
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\AppDataLow\Software\Yahoo\Companion
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\FLV Player
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Yahoo! Companion
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Amazon Assistant
Key Found: HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1191959822-635995572-3245679226-1004\Software\SpeedBit
Key Found: HKCU\Software\distromatic
Key Found: HKCU\Software\IM
Key Found: HKCU\Software\ImInstaller
Key Found: HKCU\Software\SlimWare Utilities Inc
Key Found: HKCU\Software\SpeedBit
Key Found: HKCU\Software\Yahoo\Companion
Key Found: HKCU\Software\Yahoo\YFriendsBar
Key Found: HKCU\Software\YahooPartnerToolbar
Key Found: HKCU\Software\AppDataLow\Software\adawarebp
Key Found: HKCU\Software\AppDataLow\Software\Yahoo\Companion
Key Found: HKLM\SOFTWARE\ImInstaller
Key Found: HKLM\SOFTWARE\MetaStream
Key Found: HKLM\SOFTWARE\SlimWare Utilities Inc
Key Found: HKLM\SOFTWARE\SpeedBit
Key Found: HKLM\SOFTWARE\Viewpoint
Key Found: HKLM\SOFTWARE\Yahoo\Companion
Key Found: HKLM\SOFTWARE\Lavasoft\Web Companion
Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FLV Player
Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Amazon Assistant
Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\FLV Player
Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility
Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Yahoo! Companion
Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Amazon Assistant
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found: HKU\S-1-5-21-1191959822-635995572-3245679226-1004\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}
Key Found: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}
Key Found: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.com
Key Found: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\myway.com
Key Found: HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Found: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\FLVPlayer.exe
Key Found: HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[s0].txt - [14631 Bytes] - [27/08/2016 19:51:40]
C:\AdwCleaner\AdwCleaner[s1].txt - [13756 Bytes] - [27/08/2016 20:22:16]

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [13830 Bytes] ##########

 

 

I have had alot of problems with the online ESET scan. I do not use internet explorer as Vista quit updating and my version is long out of date. I use Mozilla Firefox. I disabled Ad-Aware but it still seemed to recognize its presence on the computer. The first time I ran the scan it found 8 threats and hung up before the scan was complete so I could not retrieve a report. I had to end the scan through task manager. The second time I ran the scan it found 11 threats and hung up before the scan was completed so again no report but before I could end the process it started cleaning the threats even though I did not have that box checked. I have no idea what was deleted from my computer from this scan. I tried it a third time and it found one threat and again hung up before the scan was finished. After this I gave up as I don't want anymore files deleted from my computer without my knowledge. Therefore I do not have a txt file to include from the ESET online scan. I hope this will be enough to help without the last scan

 

Fixlog.txt

AdwCleaner.txt

Share this post


Link to post
Share on other sites

To see what Eset's scanner did, please go to the folder C:\users\Roxanne\appdata\local\temp\ and paste the content of the log file log.txt in your reply.

 

 

Follow the instructions on the page http://www.bleepingcomputer.com/virus-removal/remove-poweliks-trojan but replace Step 11-16 with an Ad-Aware scan. Please, tell me the result of Ad-Aware's scan and if Eset's tool found something and, if yes, paste the content of ESETPoweliksCleaner.exe_<timestamp>.log in your reply.

 

 

Please, scan the computer with FRST and attach the new log files.

Share this post


Link to post
Share on other sites

I have had quite a time. First of all as none of the three scans done on eset online scanner completed the scan to the end there was no log file generated into the directory you indicated. I have no idea what was deleted

 

I have followed the instructions at Bleeping Computer. The Rkill program stopped a Windows process and two Internet Explorer.exe processes to help in removing the virus. I then ran eset poweliks cleaner which returned with a report that no Trojan Poweliks virus was found. I have attached a copy. I rebooted and found that I no longer am able to run Internet Explorer. The application exe file is no longer in the Internet Explorer directory. While I don't use Internet Explorer for browsing. I have programs which need it to operate. I attempted to download it from Microsoft to reinstall it and it wont reinstall as the version on my computer is more current than the version 9 program from Microsoft. The registry root directory still thinks I have it but it is not listed in software. I can still access the internet options from the program through control panel but can't run the program. There is no way to uninstall internet explorer so I can reinstall thew earlier version. I am without ideas to fix my registry which is now corrupt.

 

I also attempted to run a full scan through Ad-Aware and couldn't get the full scan to run longer than 15 minutes. I attempted to repair it. I uninstalled and reinstalled it without fixing the problem. I had to do a system restore and then run the repair tool to get it to run a longer full scan. The full scan report came back reflecting no Trojan Poweliks viruses the scan still didn't run as long as the full scan did before. I don't know if I can trust the results. Programs load a little faster and I am not seeing miscellaneous other phenomena but I don't know

 

Before I started this process I did a full scan and in addition to the two Trojan.poweliks.gen.1 and the Trojan.poweliks.gen.2 at windows/system32/regsver32.exe there was also a Trojan.poweliks.gen.2 at internet explorer. I think that internet explorer is where the viruses were located. I used to get notification that internet explorer had been closed to protect my computer when I had not had the program open

 

I am not impressed with the eset scanning programs. my computer is not the same. I don't know how to resolve. I have attached new copies of the FRST scan FRST and Addition txt files. I await your reply

ESETPoweliksCleaner.exe_20160829.161119.8600.log

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

I just requested another full scan on Ad-Aware and it lasted 11 minutes my software isn't working and I've tried repair and reinstalling it. I have no working virus protection now.

Share this post


Link to post
Share on other sites

I'm sorry that you have such big problems.

 

Ad-Aware remembers which files that have been scanned and if they haven't changed they will not be scanned again. That means that scans are pretty fast, except for the first scan.

 

Do you have any files in the quarantine of Ad-Aware?

If not, you might try to do a system restore to a date when Internet Explorer worked, e.g. before Ad-Aware found Poweliks or before you run Eset's online scanner.

Share this post


Link to post
Share on other sites

I did a system restore to the restore point created by FRST.exe which was before the eset online scan. It was a successful restore so although I don't know what was deleted by eset online scan I must assume they have been restored. I can also access internet explorer which pleases me. I redid the fix on FRST with the original fixlist.txt without problem.

 

Every full scan I've done on Ad-Aware has taken at least three hours and has come up with the viruses. I would assume that the viruses would also be restored but on a much shorter full scan I come up clean with no viruses. The software said I had not done a scan for a long time so I would think it would take the usual three hours. It took one hour and thirty nine minutes. There is one Quarantined item called Gen:Variant.Application at

c:\users\roxanne\appdata\local\temp\tmp9334685\setup.exe which I have deleted. I have downloaded the Rkill, Iexplore and ESET Poweliks Cleaner programs again from Bleeping Computer and will keep them for a time till I know I am out of the woods.

 

If you tell me my Ad-Aware program is okay doing much shorter full scans, I will take you at your word and assume I am protected.

 

In one of the instruction sites you gave me, it recommended that after removal of the viruses I should do a scan with Secunia PSI to see what other programs might be vulnerable to viruses. I have this program. It is one of the programs that needs Internet Explorer. I have listed the https://*.secunia.com site as a trusted site to allow it to scan my software and download updated programs. It attempts to scan and download program vulnerabilities but it goes through the sequence fast and does nothing. It isn't working. I believe Ad-Aware firewall is not letting it work. Is there any way to list a trusted site in Ad-Aware

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.Everyone else please begin a New Topic.Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this