Windows 10: Remove PUP application from DVD Drive (F:) CDROM

If I can not run the ESET to its completion what do I do about the 8 threats it detects before finishing?

 

Sounds good.

I've never used BitDefender Rescue. But, I think we are still waiting for the results of TDSSKiller?

Based on what I've read about this threat, the reg key is activated by a call to the particular CLSID, so, I doubt we'll find a rootkit (but, never know). I am thinking we will want to get to Ccleaner eventually, and get screenshots of Startup tabs to determine if anything needs to be disabled/removed that way, and run the cleaner on the registry to get rid of ReImage leftovers as well?

Agreed.

Nor mine.

*Roflmao2 Better more scans, than leftover infection! *Wink

 

If, when you first ran the ESET scan, you selected to have it auto-clean threats, then those 8 will be in your quarantine. To access them you can try running the scan again, selecting only memory and the Users sub-folder under C drive. They should show up again (at least that's what their instructions said int he past - hopefully they haven't changed that with their updated scan function).

 

Looks to me like HMPro found a bunch of Reimage leftovers, a bunch of cookies and one Ask toolbar. I don't see anything else. @Slartybart can confirm. *Smile

 

You have to be joking, if I am not learning something.....well, it is the difference between knowledgeable and embellishers ("yeah, my brother works for the government in IT and he told me all about this....blah blah blah"), then your computer, pc, laptop, whatever starts melting into green goo while you hear the Wicked Witch's cackle screeching "I'm melting."

No overload of tech overload here.

 

*Roflmao2 A real trooper! *Thumbs
When all is said and done, and you have the all-clear, we'll get you set up with Macrium imaging, so if anything ever happens again, you simply restore an image and you're back in business in a matter of minutes/hours, instead of days. Just need an external hard drive for that.

 

I was only given options about PUPS and whether to auto delete them, (I did NOT check off the auto delete, because I wanted the info before deleting), but I can not find any log, because it would stop running after it detected the 8 threats. Trust me, I looooooooked, and searched. This info has to exist somewhere, right, but where? Did I make another wrong decision? I like to know and record exactly what I am removing before initiation.

 

Click the little arrow next to Show advanced options, and you'll see all the options to select.







Then, select CHANGE for the Current Scan Targets.

 

You can have a look for the log here:

 

Yep, but it looks as though the log was cut short. Might not have been ,,, I haven't looked at a hitman log for a while.

In any case - clean the threats HitmanPro found. I'll watch to see if ESET gets through with auto-clean set.

 

I, really do want to understand the complexities of how these, or this one (for starters), infections affect systems. Could you please, tell me if this info is correct?

Poweliks is not a regular piece of malware because it resides in the memory of the system and stores absolutely no file on the disk, making it more difficult to detect.
After compromising the computer, the malware creates registry entries with commands that verify for the presence of PowerShell or .NET Framework and for executing the payload.

Once the file is launched, the cybercriminals turn on the persistency feature of the malware by creating an encoded autostart key in the registry.
It seems that the encoding technique used by the malware was originally created by Microsoft to safeguard their source code from being altered.In order to avoid detection by system tools, the registry key is hidden by providing a name in non-ASCII characters, which makes it unavailable to the Registry Editor (regedit.exe) in Windows.
By creating the auto-start key, the attackers make sure that a reboot of the system does not remove it from the computer.
By decoding the key, Symantec observed two sets of code: one that verified if the affected machine had Windows PowerShell installed, and another one, a Base64-encoded PowerShell script, for calling and executing the shellcode.
According to the Symantec researchers, the shellcode executes the payload, which attempts to connect to a remote command and control (C&C) server for receiving instructions. There are multiple IP addresses for C&C servers, all hard-coded.
The peculiarity of this malware is that it does not create any file on the disk, making it more difficult to be detected through classic protection mechanisms.

cited from: How to remove Trojan.Poweliks virus (Removal Guide)

 

Hey, how did you get tot that guide? *Wink

It means that it is sneakier than vanilla malware that can be found in a file

Let's see what the guide also idenitfied as registry keys

Command Prompt (Admin)
copy the following line and right click in the Command Prompt window to paste it

reg query "HKCU\software\classes\clsid\{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}" /s
If the query finds the key, post a screen shot.

did you perform a clean boot?

 

Yes, that is all correct.
You can also read more here:
TrendLabs Security Intelligence BlogPOWELIKS Levels Up With New Autostart Mechanism - TrendLabs Security Intelligence Blog

 

Here's a shorthand recap

Outstanding tasks:
HitmanPro - were the threats cleaned?
ESET online scan: running with auto set
Clean Boot
Reg key query
Bitdefender Rescue
TDSSKiller
Dism
SFC



Post# 1 Avast
Found a PUP
how-to-remove-driver-side-door-panel-150.ISO
The Holy Library
Holy.app
Holy.exe
8/3/2016
Post# 5 Downloads\how-to-remove-driver-side-door-panel-150.ISO
????? Avast msg says run Mnam?
Avast can not do anything, meaning "repair," "quarantine," or "delete,"
instead an "error" displays prompting me to run the Malwarebytes Anti-Malware scan ?????
Post# 7: Rkill log - No objects found to stop or kill


Post# 10 ISO deleted - in recycle bin
Myrna idenfies the downloader from us1 springfile org
mixed info on research - some malicious, some 1or 2 out of all AV products flagged it

AdwCleaner log - cleaned up minor PUPs
Post# 12 JRT & HitmanPro suggested

Post# 13 - eset online suggested

Post# 15 JRT log - nothing major

Post# 24
hitman results - no threats found
Threats detected 1,095 ?????
Post# 28 suggest Mbam

Post# 32 ESET online hangs at end

Post# 35 Mbam finds Trojan.Poweliks.B in HKU\S-1-5-21

Post# 36 Mbam log two threats quarantined

Post# 37
suggest remove the two threats
suggest TDSSkiller
Post# 38 suggest How to remove the Poweliks Trojan (Removal Guide)

Post# 39 starts ReImage debacle form ad on sevenForums

Post# 49 Avast flags Poweliks guide on bleeping

Post# 50
suggest Rkill and HitmanPro from the guide
follow up with Dism & SFC
Post# 52 correction
suggest Rkill, ESET Poweliks Cleaner, and HitmanPro from the guide

Post# 60 Rkill log
Terminates 1 process
* C:\Users\MyrnaZ\AppData\Local\Temp\{7E6122F0-DB5E-430A-A6AE-6F73E75D1A32}\{BCCE466F-5194-418B-B7A4-55A77A6E62F6}.exe (PID: 16284) [T-HEUR]
This was not found in the first Rkill. Probably belongs to ReImage
Post# 63 ESET Poweliks log - threat not found

Post# 71
suggest Clean boot
Rkill
Hitman
Post# 72
suggest TDSSkiller
Bitdefender Rescue
check reg for Poweliks keys
Post# 73 Hitman log
Were they cleaned or is that just what was found?
Post# 76 suggest ESET online scanner with autoclean set

 

That link to the guide is, actually a blog, although the title is the same as yours....coincidence?
How to remove Trojan.Poweliks virus (Removal Guide)
When I clicked on copy link, it had the same title. I just copied and pasted the url that is its description, above. The query did not show the key in the command prompt when I ran the line you suggested, and I will post the screen shot just so you see it:




Was I supposed to reboot first? I will reboot now. Something peculiar happened when I was playing a game, yes, a game (but the one and only site I use, and please do not take my stress reliever away...*Banghead). In between rounds I noticed in the upper corner of the screen a quick "flash" of "X=x" in the same colors and font never seen previously. Am I now just being paranoid?
I thought I posted the results for Hitman?