Solved Malware infection: COM surrogate, dllhost, Trojan Poweliks versions, Adclick(?) on multiple computer

[CESbio]

Files attached.

 

[argus]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[CESbio]

First off, thank you for your help, this has been an incredible pain! Hoping I've done this right. Please find attached the Fixlog.txt. Thank you and looking forward to your response.

 

[argus]

How's your computer behaving now?

 

[CESbio]

No random attacks in the last few minutes. Malwarebytes hasn't brought anything up in the last 5-10 minutes. Watching under Windows Task Manager, normally see a dllhost32 popping up with COM Surrogate. While the 32 part is gone, COM Surrogate continues to pop up.

 

[argus]

Download ESET Poweliks Cleaner
http://download.eset.com/special/ESETPoweliksCleaner.exe

When the download is complete, navigate to your Desktop, double-click ESETPoweliksCleaner.exe.
Read the terms of the End-user license agreement and click Agree if you agree to them.

The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.

If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed.
Press any key to exit the tool.

After removing an infection we highly recommend that you restart your computer. The infection should now be removed and you should be able to access the web content that was being blocked.

 

[CESbio]

Hi Argus,
ESET Poweliks cleaner noted Poweliks was not found. Sounds like the system might be clear then?

 

[argus]

System is clean.



Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the
  
  icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run and wait until the tool completes his work.
• All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

 

[CESbio]

1st computer looks like a wrap. Thank you so much! For the second computer that's actually a bit worse off, do I need to start a new thread?

 

[argus]

If there is no problem.

 

[CESbio]

I'm sorry I don't understand the last part. Do I need to start a new thread for the second computer?

 

[argus]

I'm sorry, open here.

 

[CESbio]

Ok, sounds good. The information on the second computer is listed under 2nd computer above. Should I start with the same process (FRST and addition)? The second system has an OS: Win8. Also, I'm worried that the peripheral Toshiba external drive may be moving an infection from one computer to the next. Any way to stop that so that I don't keep reinfecting computers?

 

[argus]

Should I start with the same process (FRST and addition)?

Yes.

 

[CESbio]

Hi, please find the files requested attached below. I think I'll owe you a brewery after this!

 

[argus]

I'm worried that the peripheral Toshiba external drive may be moving an infection from one computer to the next

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

] MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

 

[argus]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[CESbio]

Just wanted to give an update. Cluelessly generated the same txt files from prior run as a 'save and run' and attached them (1st computer). Went back, deleted those files, then started where I was supposed to by downloading the FRST file, running, saving to same location on the second computer. Now going through the FRST Admin Fix scan. Seems to be taking a while (I don't know what a normal run time is like). Is there a point at which long becomes too long and I should stop and restart?
I apologize for the confusion on my end!

 

[argus]

Remove temp files, leave to finish.

 

[CESbio]

Fix done, system restarted. Please find attached the Fixlog as requested. Note that Malwarebytes continues to flash a series of outgoing.