movieroomreviews.com and others

Windows 7 x64

  • started receiving popup notifications about various sites being blocked, from the Internet Explorer process- even while IE was not running
  • several (seemingly unused) processes/services related to Windows Media player, Windows Image Acquisition, and others (not sure what else- can no longer logon to Windows to find out) were repeatedly taking up way too many CPU cycles and from one half to 1.25 GB of memory.
  • attempted to generate log files within Windows
  • although I believe aswMBR.exe never completed (I saved the log while it was still in process.)
  • aswMBR.exe seemed to hang on something related to Google Music uninstaller both times I attempted to run it.
  • system doesn’t seem to boot any more after a BSOD
  • also can’t get into safe mode. Hangs on aswrvrt.sys.
  • ran FRST second time after booting from Win7 DVD

Thank you very much in advance!

Here is aswMBR.txt

Let me know what improvement there is after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-1208051302-2929865567-113545068-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks! CHR HKU\S-1-5-21-1208051302-2929865567-113545068-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION Toolbar: HKLM-x32 - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} - No File CHR HKU\S-1-5-21-1208051302-2929865567-113545068-1000\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path 2014-12-07 19:45 - 2014-12-07 19:45 - 00000247 _____ () C:\Windows\system32\2014-12-08-01-45-42.077-aswFe.exe-239644.log 2014-12-07 19:38 - 2014-12-07 19:45 - 00000247 _____ () C:\Windows\system32\2014-12-08-01-38-54.013-aswFe.exe-232760.log 2014-12-07 19:38 - 2014-12-07 19:38 - 00000197 _____ () C:\Windows\system32\2014-12-08-01-38-49.080-AvastVBoxSVC.exe-113464.log 2014-11-30 19:06 - 2014-11-30 19:06 - 00000247 _____ () C:\Windows\system32\2014-12-01-01-06-15.049-aswFe.exe-177100.log 2014-11-30 19:04 - 2014-11-30 19:06 - 00000247 _____ () C:\Windows\system32\2014-12-01-01-04-31.053-aswFe.exe-205856.log 2014-11-30 19:04 - 2014-11-30 19:04 - 00000197 _____ () C:\Windows\system32\2014-12-01-01-04-29.039-AvastVBoxSVC.exe-186852.log 2014-11-23 19:29 - 2014-11-23 19:29 - 00000247 _____ () C:\Windows\system32\2014-11-24-01-29-06.010-aswFe.exe-36840.log 2014-11-23 19:04 - 2014-11-23 19:29 - 00000247 _____ () C:\Windows\system32\2014-11-24-01-04-45.090-aswFe.exe-46192.log 2014-11-23 19:04 - 2014-11-23 19:04 - 00000197 _____ () C:\Windows\system32\2014-11-24-01-04-30.004-AvastVBoxSVC.exe-46596.log 2014-11-22 00:38 - 2014-11-22 00:38 - 00000247 _____ () C:\Windows\system32\2014-11-22-06-38-27.056-aswFe.exe-3556.log 2014-11-22 00:36 - 2014-11-22 00:38 - 00000247 _____ () C:\Windows\system32\2014-11-22-06-36-40.087-aswFe.exe-10952.log 2014-11-22 00:36 - 2014-11-22 00:36 - 00000197 _____ () C:\Windows\system32\2014-11-22-06-36-38.044-AvastVBoxSVC.exe-7468.log C:\ProgramData\dsgsdgdsgdsgw.pad C:\Users\MMorris\AppData\Local\Temp\_MEI16842 EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thank you VERY much essexboy. I will attempt these fixes in the morning and report back. You are greatly appreciated.

As a desert now that the malware has been cleansed, a read-up on poweliks: https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html link article author = Paul Rascagnères

polonus

Thank you very much. Sorry for the delay, but I had to run chkdsk on some rather large volumes as a result of the BSOD and Windows failing to boot those few times. It seems that all is well now as far as data on those volumes goes.

I applied the fix and noticed an immediate improvement at least with respect to performance and processor utilization. I have to say, I am rather perplexed about the nature of these types of infections I am seeing in the forums, as well as how I might have managed to pick it up.

polonus, I will definitely take a look at the link you posted. Might be just the sort of info I was looking for. Thank you for that.

essexboy, since you asked for the content of the log file I am including it here rather than attaching it. I hope I understood correctly.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-12-2014 Ran by MMorris at 2014-12-14 01:12:28 Run:3 Running from C:\Users\MMorris\Desktop Loaded Profile: MMorris (Available profiles: MMorris) Boot Mode: Normal ==============================================

Content of fixlist:


HKU\S-1-5-21-1208051302-2929865567-113545068-1000.…A8F59079A8D5}\localserver32: rundll32.exe javascript:"..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
CHR HKU\S-1-5-21-1208051302-2929865567-113545068-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Toolbar: HKLM-x32 - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} - No File
CHR HKU\S-1-5-21-1208051302-2929865567-113545068-1000.…\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
CHR HKLM-x32.…\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path
2014-12-07 19:45 - 2014-12-07 19:45 - 00000247 _____ () C:\Windows\system32\2014-12-08-01-45-42.077-aswFe.exe-239644.log
2014-12-07 19:38 - 2014-12-07 19:45 - 00000247 _____ () C:\Windows\system32\2014-12-08-01-38-54.013-aswFe.exe-232760.log
2014-12-07 19:38 - 2014-12-07 19:38 - 00000197 _____ () C:\Windows\system32\2014-12-08-01-38-49.080-AvastVBoxSVC.exe-113464.log
2014-11-30 19:06 - 2014-11-30 19:06 - 00000247 _____ () C:\Windows\system32\2014-12-01-01-06-15.049-aswFe.exe-177100.log
2014-11-30 19:04 - 2014-11-30 19:06 - 00000247 _____ () C:\Windows\system32\2014-12-01-01-04-31.053-aswFe.exe-205856.log
2014-11-30 19:04 - 2014-11-30 19:04 - 00000197 _____ () C:\Windows\system32\2014-12-01-01-04-29.039-AvastVBoxSVC.exe-186852.log
2014-11-23 19:29 - 2014-11-23 19:29 - 00000247 _____ () C:\Windows\system32\2014-11-24-01-29-06.010-aswFe.exe-36840.log
2014-11-23 19:04 - 2014-11-23 19:29 - 00000247 _____ () C:\Windows\system32\2014-11-24-01-04-45.090-aswFe.exe-46192.log
2014-11-23 19:04 - 2014-11-23 19:04 - 00000197 _____ () C:\Windows\system32\2014-11-24-01-04-30.004-AvastVBoxSVC.exe-46596.log
2014-11-22 00:38 - 2014-11-22 00:38 - 00000247 _____ () C:\Windows\system32\2014-11-22-06-38-27.056-aswFe.exe-3556.log
2014-11-22 00:36 - 2014-11-22 00:38 - 00000247 _____ () C:\Windows\system32\2014-11-22-06-36-40.087-aswFe.exe-10952.log
2014-11-22 00:36 - 2014-11-22 00:36 - 00000197 _____ () C:\Windows\system32\2014-11-22-06-36-38.044-AvastVBoxSVC.exe-7468.log
C:\ProgramData\dsgsdgdsgdsgw.pad
C:\Users\MMorris\AppData\Local\Temp_MEI16842
EmptyTemp:
CMD: bitsadmin /reset /allusers


“HKU\S-1-5-21-1208051302-2929865567-113545068-1000\Software\Classes\CLSID{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32” => Key Deleted Successfully.
“HKU\S-1-5-21-1208051302-2929865567-113545068-1000\Software\Classes\CLSID{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}” => Key deleted successfully.
“HKU\S-1-5-21-1208051302-2929865567-113545068-1000\SOFTWARE\Policies\Google” => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{95B7759C-8C7F-4BF1-B163-73684A933233} => value deleted successfully.
“HKCR\Wow6432Node\CLSID{95B7759C-8C7F-4BF1-B163-73684A933233}” => Key not found.
“HKU\S-1-5-21-1208051302-2929865567-113545068-1000\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh” => Key deleted successfully.
“HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk” => Key deleted successfully.
“C:\Windows\system32\2014-12-08-01-45-42.077-aswFe.exe-239644.log” => File/Directory not found.
“C:\Windows\system32\2014-12-08-01-38-54.013-aswFe.exe-232760.log” => File/Directory not found.
“C:\Windows\system32\2014-12-08-01-38-49.080-AvastVBoxSVC.exe-113464.log” => File/Directory not found.
“C:\Windows\system32\2014-12-01-01-06-15.049-aswFe.exe-177100.log” => File/Directory not found.
“C:\Windows\system32\2014-12-01-01-04-31.053-aswFe.exe-205856.log” => File/Directory not found.
“C:\Windows\system32\2014-12-01-01-04-29.039-AvastVBoxSVC.exe-186852.log” => File/Directory not found.
“C:\Windows\system32\2014-11-24-01-29-06.010-aswFe.exe-36840.log” => File/Directory not found.
“C:\Windows\system32\2014-11-24-01-04-45.090-aswFe.exe-46192.log” => File/Directory not found.
“C:\Windows\system32\2014-11-24-01-04-30.004-AvastVBoxSVC.exe-46596.log” => File/Directory not found.
“C:\Windows\system32\2014-11-22-06-38-27.056-aswFe.exe-3556.log” => File/Directory not found.
“C:\Windows\system32\2014-11-22-06-36-40.087-aswFe.exe-10952.log” => File/Directory not found.
“C:\Windows\system32\2014-11-22-06-36-38.044-AvastVBoxSVC.exe-7468.log” => File/Directory not found.
“C:\ProgramData\dsgsdgdsgdsgw.pad” => File/Directory not found.
“C:\Users\MMorris\AppData\Local\Temp_MEI16842” => File/Directory not found.

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => Removed 4.3 GB temporary data.

The system needed a reboot.

==== End of Fixlog ====

Are there any other points of concern? Or topics in which a lesson can be learned by all observers? Thanks again!

You had a poweliks infection which does not have a file on the system but rather adjusts a registry entry. As it stands at the moment no AV can remove this it needs to be done manually
http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-levels-up-with-new-autostart-mechanism/
https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html

Are you experiencing any further problems ?

It appears I may still have some problems, even though inexplicable processor utilization is no longer a symptom. This time while I was using Chrome. I will run the scans and upload the logs later when I have more time (unless I receive suggestions to the contrary in the meantime) but here are the two Avast popups I received just now.

Yes please, the malware may have changed chrome to development mode before the fix was run. That will be evident in the FRST scan

Attached are:

  • a FRST.txt file which was generated by a crashed FRST64 run (in which I had all optional checkboxes selected)
  • a FRST.txt file from a run in which only the “Addition” extra option was selected, and which completed successfully
  • the addition.txt file

Thank you my friend!

I will say that the popups are not as frequent as they were previously when it was Internet Explorer generating them. In fact I believe the two screen captures of the popups from earlier that I attached previously are the only two popups there have been since the initial fix attempt (although granted I have used the computer very little thus far).

You have so many Chrome extensions that any one of them may be corrupted

So to see if it is one of those could you run chrome in incognito to see if the alerts still appear

https://support.google.com/chrome/answer/95464?hl=en-GB