Trojan.powerliks!gm-I think

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Trojan.powerliks!gm-I think

Post by macmanetz on Thu 06 Nov 2014, 9:16 am

In reviewing the Norton event log, I found that Trojan.poweliks!gm has been reappearing....constantly since 10/30/2014. On 11/02/14, Norton battled it 22 times during that day alone. The computer is sluggish, and the system sounds like it is working overtime with warnings from Norton saying there is high CPU & memory usage of various items in particular reoccuring is COM.surrogate. Also small warning windows pop up saying that  the PowerShell has stopped.....whatever that means.

I am fixing my Dad's computer and it is running Windows 7 and not the computer mentioned in the margins as mine.

Norton seems to be fighting off quite a bit but seems to need extra help . Please help. I backed up the computer on a new external drive, then, I downloaded the software that GeekPolice requested, ran the scans and am adding the logs below. The computer is running and has internet connectivity.
Thank you for your help!
---------------------------------------------------------------------
AdwCleaner:

# AdwCleaner v3.311 - Report created 05/11/2014 at 16:01:21
# Updated 30/09/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Mac - MAC-HP
# Running from : C:\Users\Mac\Desktop\adwcleaner_3.311.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\defaulttab
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\Conduit
Folder Deleted : C:\ProgramData\PC Optimizer Pro
Folder Deleted : C:\Program Files (x86)\Ask.com
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\internethelper3.1
Folder Deleted : C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}
Folder Deleted : C:\Users\Mac\AppData\Local\apn
Folder Deleted : C:\Users\Mac\AppData\Local\Conduit
Folder Deleted : C:\Users\Mac\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Mac\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Mac\AppData\LocalLow\internethelper3.1
Folder Deleted : C:\Users\Public\Util
Folder Deleted : C:\Users\Mac\AppData\Roaming\Mozilla\Firefox\Profiles\m85a0ybn.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Deleted : C:\Users\Mac\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
[!] Folder Deleted : C:\Users\Mac\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Folder Deleted : C:\Users\Mac\AppData\Local\Google\Chrome\User Data\Default\Extensions\nemfjadlboooiffmcelkafilagddogim
File Deleted : C:\Users\Mac\AppData\Local\CRE\nemfjadlboooiffmcelkafilagddogim.crx
File Deleted : C:\END
File Deleted : C:\Windows\System32\roboot64.exe
File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\nsprotector.js
File Deleted : C:\Users\Mac\AppData\Roaming\Mozilla\Firefox\Profiles\m85a0ybn.default\searchplugins\Askcom.xml
File Deleted : C:\Users\Mac\AppData\Roaming\Mozilla\Firefox\Profiles\m85a0ybn.default\user.js

***** [ Scheduled Tasks ] *****

Task Deleted : driverupdate startup
Task Deleted : DTChk
Task Deleted : DTReg
Task Deleted : PC Optimizer Pro Updates
Task Deleted : Scheduled Update for Ask Toolbar

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Key Deleted : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Key Deleted : HKCU\Software\Google\Chrome\Extensions\nemfjadlboooiffmcelkafilagddogim
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\nemfjadlboooiffmcelkafilagddogim
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\conduitapps.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\[You must be registered and logged in to see this link.]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ShoppingBHO.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EB583FE1-9458-4EDA-AC68-24D24F17C70F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{FEB62B15-CC00-4736-AAEC-BA046C9DFF73}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F0B76E1-4E46-427B-B55B-B90593468AC6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F0B76E1-4E46-427B-B55B-B90593468AC6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9CB36D63-765C-4E6A-8F7E-EEA74969A41E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{571A32B9-3A5C-4EA0-8A8A-EACB070BF7C6}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\DefaultTab
Key Deleted : HKCU\Software\pc optimizer pro
Key Deleted : HKCU\Software\Tbccint_HKLM
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\BackgroundContainer
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Freecause
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\InternetHelper3.1
Key Deleted : HKLM\SOFTWARE\APN
Key Deleted : HKLM\SOFTWARE\AskToolbar
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\Freeze.com
Key Deleted : HKLM\SOFTWARE\InternetHelper3.1
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.1
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17344


-\\ Mozilla Firefox v32.0.3 (x86 en-US)

[ File : C:\Users\Mac\AppData\Roaming\Mozilla\Firefox\Profiles\m85a0ybn.default\prefs.js ]

Line Deleted : user_pref("CT3289663.FF19Solved", "true");
Line Deleted : user_pref("CT3289663.UserID", "UN68663639610380300");
Line Deleted : user_pref("CT3289663.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3289663.fullUserID", "UN68663639610380300.IN.20130919132018");
Line Deleted : user_pref("CT3289663.installDate", "19/09/2013 13:20:19");
Line Deleted : user_pref("CT3289663.installSessionId", "{0533306F-CC74-4A1E-9664-06EF16CED931}");
Line Deleted : user_pref("CT3289663.installSp", "TRUE");
Line Deleted : user_pref("CT3289663.installerVersion", "1.7.0.9");
Line Deleted : user_pref("CT3289663.keyword", "true");
Line Deleted : user_pref("CT3289663.originalHomepage", "hxxp://www.yahoo.com/");
Line Deleted : user_pref("CT3289663.originalSearchAddressUrl", "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=&locale=&apn_uid=04C5FF2E-5567-4127-AC72-47B017475C77&apn_ptnrs=TV&apn_sauid=AFA87A01-C010-[...]
Line Deleted : user_pref("CT3289663.originalSearchEngine", "Google");
Line Deleted : user_pref("CT3289663.originalSearchEngineName", "");
Line Deleted : user_pref("CT3289663.searchRevert", "false");
Line Deleted : user_pref("CT3289663.searchUserMode", "2");
Line Deleted : user_pref("CT3289663.smartbar.homepage", "true");
Line Deleted : user_pref("CT3289663.versionFromInstaller", "10.20.0.13");
Line Deleted : user_pref("CT3289663.xpeMode", "0");
Line Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3289663&octid=CT3289663&SearchSource=61&CUI=UN68663639610380300&UM=2&UP=SP18ED965F-7828-492F-AED8-33150DC6CD9F");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=&locale=&apn_uid=04C5FF2E-5567-4127-AC72-47B017475C77&apn_ptnrs=TV&apn_sauid=AFA87A01-C0[...]
Line Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "InternetHelper3.1 Customized Web Search");
Line Deleted : user_pref("browser.search.order.1", "Ask.com");
Line Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.BUTTON_STRUCTURE", "[{\"b\":221584481,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":221584482,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.firstKnownVersion", "6.33.3.42825");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.homepage", "hxxp://home.tb.ask.com/index.jhtml?ptb=1FDD2146-7300-42EF-8354-56BCC7A3B518&n=780bd350&p2=^HJ^xdm635^YYA^us&si=314029");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.initialized", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.installKeysSource", "LocalStorage");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.installType", "XPI");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.installation.contextKey", "");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.installation.installDate", "2014040912");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.installation.partnerId", "^HJ^xdm635^YYA^us");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.installation.partnerSubId", "314029");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.installation.pixelUrl", "hxxp://videodownloadconverter.dl.tb.ask.com/install_pixels.jhtml?partner=^HJ^xdm635^YYA^us&coId=d44c0780684440acadabeea6529[...]
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.installation.success", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.installation.toolbarId", "1FDD2146-7300-42EF-8354-56BCC7A3B518");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.isCompliantUninstallImplementation", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.lastActivePing", "1414953355321");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.lastKnownVersion", "6.72.4.54920");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.options.defaultSearch", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.options.homePageEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.options.keywordEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.options.tabEnabled", false);
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.partnerPixelFired", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.searchHistory", "Amorphophallus titanum");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.successUrl", "hxxp://www.getfreevideoconverter.com/success.html");
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.toolbarCollapsed", true);
Line Deleted : user_pref("extensions.toolbar.mindspark._4zMembers_.weather.location", "33938");
Line Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "videodownloadconverter@mindspark.com");
Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3289663");
Line Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3289663&CUI=UN68663639610380300&UM=2&SearchSource=13,hxxp://search.conduit.com/?ctid=CT3289663&octid=CT3289663&SearchSource[...]
Line Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289663&SearchSource=2&CUI=UN68663639610380300&UM=2&q=");
Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3289663");
Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3289663");
Line Deleted : user_pref("smartbar.machineId", "O+WN051IMQ/ZVNN6L0W7W2CKIW+D+7U2FABV7JCT3FJCKQD0JS1OBU+MZEZJDUABURJ4R5XYY74SX0Z2OY20LG");
Line Deleted : user_pref("smartbar.originalHomepage", "hxxp://search.conduit.com/?ctid=CT3289663&CUI=UN68663639610380300&UM=2&SearchSource=13");
Line Deleted : user_pref("yahoo.ytff.toolbar.orignalhomepage", "hxxp://search.conduit.com/?ctid=CT3289663&octid=CT3289663&SearchSource=61&CUI=UN68663639610380300&UM=2&UP=SP18ED965F-7828-492F-AED8-33150DC6CD9F");
Line Deleted : user_pref("yahoo.ytff.toolbar.orignalselectedEngine", "InternetHelper3.1 Customized Web Search");

-\\ Google Chrome v

[ File : C:\Users\Mac\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : [You must be registered and logged in to see this link.]
Deleted [Search Provider] : [You must be registered and logged in to see this link.]
Deleted [Search Provider] : [You must be registered and logged in to see this link.]
Deleted [Search Provider] : [You must be registered and logged in to see this link.]
Deleted [Search Provider] : [You must be registered and logged in to see this link.]
Deleted [Search Provider] : [You must be registered and logged in to see this link.]
Deleted [Search Provider] : [You must be registered and logged in to see this link.]

*************************

AdwCleaner[R0].txt - [19829 octets] - [02/11/2014 15:49:19]
AdwCleaner[R1].txt - [19517 octets] - [05/11/2014 15:49:37]
AdwCleaner[S0].txt - [18698 octets] - [05/11/2014 16:01:21]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [18759 octets] ##########
---------------------------------------------------------------------------

Malwarebytes:

I ran this 2 days ago and it found 741 objects which I quarantined. Yesterday, I ran it and it found some more 20 objects that also got quarantined. Here is the log:

Malwarebytes Anti-Malware
[You must be registered and logged in to see this link.]

Scan Date: 11/5/2014
Scan Time: 4:07:36 PM
Logfile: MBM 11_05_2014.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.05.10
Rootkit Database: v2014.11.01.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Mac

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 325950
Time Elapsed: 12 min, 49 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.DefaultTab.A, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\defaulttab, , [240a8dab3d3f41f518b9c069f40fb749],
PUP.Optional.DefaultTab.A, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\defaulttab\defaulttab, , [240a8dab3d3f41f518b9c069f40fb749],

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
-----------------------------------------------------------------------

Results of screen317's Security Check version 0.99.89

Windows 7 Service Pack 1 x64 (UAC is enabled)  
Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!  
Norton 360    
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Java 7 Update 71  
Java 8 Update 25  
Java version out of Date!
Adobe Flash Player 15.0.0.189  
Mozilla Firefox 32.0.3 Firefox out of Date!  
Google Chrome 38.0.2125.104  
Google Chrome 38.0.2125.111  
````````Process Check: objlist.exe by Laurent````````  
Symantec Norton Online Backup NOBuAgent.exe  
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````


Last edited by macmanetz on Thu 06 Nov 2014, 9:18 am; edited 1 time in total (Reason for editing : needed to add additional info)

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by Superdave on Thu 06 Nov 2014, 1:23 pm

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download Junkware Removal Tool to your desktop.

Warning! Once the scan is complete JRT will shut down your browser with NO warning.

Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*****************************************
Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.


Superdave
Tech Staff


Tech Staff

Posts : 4192
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by macmanetz on Fri 07 Nov 2014, 8:50 am

I had a little trouble with downloading JRT but it did do so but not on my desktop and before I knew it, it was up and running! So I hope this didn't affect the scan. When it was done, I did a search and moved it to the desktop. Here are the results:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.6 (11.05.2014:1)
OS: Windows 7 Home Premium x64
Ran by Mac on Thu 11/06/2014 at 14:04:04.32
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_current_user\software\microsoft\internet explorer\low rights\elevationpolicy\{a5aa24ea-11b8-4113-95ae-9ed71deaf12a}"
Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9"
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1DAD511F-DD95-465C-BE1A-6A384597FED6}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{736D2710-D240-4E6E-A00E-CA2A3668AE17}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C996D986-ED74-4975-A9D4-F188C0708666}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D4874AC9-6A89-49AC-AE76-D7FF2A323FEB}



~~~ Files

Successfully deleted: [File] C:\Windows\Tasks\PC Optimizer Pro64 startups.job
Successfully deleted: [File] C:\Windows\Tasks\DriverUpdate Scan.job
Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npcouponprinter.dll"
Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npmozcouponprinter.dll"
Successfully deleted: [File] "C:\Windows\couponprinter.ocx"
Successfully deleted: [File] C:\Windows\prefetch\DRIVERUPDATE.EXE-4FF082B7.pf



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Mac\appdata\local\cre"
Failed to delete: [Folder] "C:\Program Files (x86)\coupons"
Successfully deleted: [Folder] "C:\Program Files (x86)\regzooka"
Successfully deleted: [Folder] "C:\Program Files (x86)\weatherblinkei"
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{0B730096-BE2D-476C-901B-D4E1AFECD595}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{0C8D4E26-125E-41AA-9890-96724E774499}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{109F8E47-E0A8-4B91-9EE6-555799509B21}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{184A83C9-E333-45B4-AB3D-AA6CE438EAF7}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{19B5EA24-C80C-433F-AD82-39EF01C1F5ED}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{2F221E6C-7558-46D3-B925-9F78B5350B22}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{2F77B384-013E-4315-91AF-E1AD810D4742}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{30ECAEE3-D24C-4369-8494-3C8665F610FB}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{35768095-B0FD-48CB-9319-C22DA83B1DB4}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{42E3B4EE-BAE1-4416-9C65-F0B96A54941E}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{4C9FCA90-F382-44CA-9568-648C8E4BB339}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{539921C7-F275-4DD3-94C2-1DC2F1729E72}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{57C83AED-4753-419D-8624-17CC26781C0D}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{7D137C71-471B-46D7-9D5B-B5930100780F}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{7D8EE27F-85C3-4B6E-9381-40086A75D9C3}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{804AFFEB-1246-44DB-8C4F-FD112B9B12C9}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{8FC42407-5F68-4063-A141-F449346AD534}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{8FD03ECA-F910-475A-B87C-8AB2F4BE4891}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{A3CF8054-C1B7-4688-8532-903408930902}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{AAD83A4B-C1D7-4FFD-BEE5-08156226DFE9}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{C9B89792-E154-4D2A-AC2F-6E8AEC0AC9E5}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{CF644FC5-B387-4161-BD16-FC1A3F170DCB}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{D4BAB999-C322-4E39-AAC4-A3AB54E5F4CE}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{D5F987D8-BF13-40AE-A0E1-C6F9C91259F8}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{D99151FB-61FE-4E1D-897A-CF66E895014B}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{EDF73755-FFB7-45BE-A467-8A6AC1756711}
Successfully deleted: [Empty Folder] C:\Users\Mac\appdata\local\{EE84A1AC-EB5B-4918-8777-29E26E20A523}



~~~ FireFox

Emptied folder: C:\Users\Mac\AppData\Roaming\mozilla\firefox\profiles\m85a0ybn.default\minidumps [50 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 11/06/2014 at 14:34:54.00
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Then I did the Malwarebytes Anti-Rootkit.  The first time around it said that nothing was found, but I restarted the computer and ran it a second time as expected. Here are the 2 results:

FIRST SCAN:
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
[You must be registered and logged in to see this link.]

Database version: v2014.11.06.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17358
Mac :: MAC-HP [administrator]

11/6/2014 3:19:21 PM
mbar-log-2014-11-06 (15-19-21).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 328640
Time elapsed: 25 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

SECOND SCAN:
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
[You must be registered and logged in to see this link.]

Database version: v2014.11.06.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17358
Mac :: MAC-HP [administrator]

11/6/2014 4:04:57 PM
mbar-log-2014-11-06 (16-04-57).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 328122
Time elapsed: 11 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

In verifying that the system is running "normally" as mentioned by the Malwarebytes instructions: Yes, I have internet access, Windows Update looks good and I believe the Norton Firewall is operating instead of Windows Firewall.  

I enabled Norton again and while writing this, I got another high usage warning!!

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by Superdave on Fri 07 Nov 2014, 1:26 pm

Please download and install MSE (below) then disable your Norton AV and see what happens.

MicroSoft Security Essentials All versions and all languages.

Superdave
Tech Staff


Tech Staff

Posts : 4192
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by macmanetz on Fri 07 Nov 2014, 3:27 pm

Will do tomorrow when I am at the infected computer. In the mean time, the above link for Microsoft Security Essentials is not active. Do you have a preferred link or should I just search for it?

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by Superdave on Sat 08 Nov 2014, 2:53 am

It works for me. If you can't get the link to work just do a search for MicroSoft Security Essentials.

Superdave
Tech Staff


Tech Staff

Posts : 4192
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by macmanetz on Sat 08 Nov 2014, 8:15 am

The link didn't work on my own computer last night but it worked on the "infected" computer today....sorry about that!

I downloaded MSE but when I got to being asked to uninstall Norton verses enabling it, I hesitated. I decided to just work on the computer and see how things went. I have been on the computer for 2 + hours now and things seem to have settled down. The CPU is running quietly and not churning like before.  

The only presence of Norton was a warning window that told me that Microsoft Essentials was safe....otherwise, Norton is quiet in the background without continually flashing windows telling me of high usage (which I haven't seen any today) or blocking another intrusion attack. In looking at Norton's history log, there has been NO attack today (unlike the previous activity over the last few days. The computer seems responsive and not sluggish.

I have been in my email, FB and clicked links that looked interesting and that took me to pages that seemed a little border line safe, but all is calm and seems fine!

So, I'm wondering, do I really need to change out Norton to MSE? or can I bypass this? Is there something else you want me to download as a final cleaning?


Last edited by macmanetz on Sat 08 Nov 2014, 8:33 am; edited 1 time in total (Reason for editing : additional info)

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by Superdave on Sat 08 Nov 2014, 8:27 am

So, I'm wondering, do I really need to change out Norton to MSE? or can I bypass this? Is there something else you want me to download as a final cleaning?
.
No. If Norton is running well, leave it be.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.

  • Leave the check mark next to Remove found threats.

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Tech Staff


Tech Staff

Posts : 4192
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by macmanetz on Sat 08 Nov 2014, 9:11 am

Having trouble opening/downloading ESET. In IE , after I accept the terms and start, a popup appears but says that “An add-on for this site failed to run” without telling me what to do about it. I went thru ESET's help and what I get does not match this so it does not help. I tried Mozilla and it tells me to download the installer but every time I click on esetsmartinstaller_enu.exe as indicated, it just makes my Mozilla blink and there is no indication of any download in the browser history. I have done both a number of times. Is there something blocking each?

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by Superdave on Sat 08 Nov 2014, 9:27 am

Ok, let's try this one.

Run the BitDefender Online scanner

Agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files.

Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report.

When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save.

This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later).
This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.

Post the bdscan.txt file as an Attachment.

Superdave
Tech Staff


Tech Staff

Posts : 4192
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by macmanetz on Sun 09 Nov 2014, 6:48 am

I tried to do this in IE and it kept saying (again) that “An add-on for this site failed to run”. I switched to Firefox and it made me add some files to the browser and that I was downloading something to my computer.... and then finally showed me the license agreement. After that, the Bitdefender scanner started to work on the website. It didn't take long . There is what appears to be a stop watch design in the middle of the page and it turned red with a speech bublle pointing to it that says " Your system is infected with Gen:Variant.Adware.Symmi.4206 - Clean your computer with the New Bitdefender Internet Security." I looked back to your instructions which said " Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report." But I don't see any tab anywhere that is labeled Detected Problems !!!! I am holding the web page and hope to catch you on line right now....what now?

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by Superdave on Sun 09 Nov 2014, 7:12 am

Please update and run another scan on your computer with MBAM. Also, run a scan with Norton.

* Go to Start > Run and type mrt.exe then press Enter on the keyboard).
* (Vista and Windows 7 users go to Start and type mrt.exe in the search box then press Enter on the keyboard.
* Click Next.
* Choose Full Scan and click Next.
* Once the scan is finished click View detailed results of the scan.

Look through the list and let me know if anything was found infected.

Superdave
Tech Staff


Tech Staff

Posts : 4192
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by macmanetz on Mon 10 Nov 2014, 9:37 am

I accidentally worked a little backwards here.....sorry. I ran the the mrt.exe first and it ran from the middle of yesterday and into the night without finding anything infected.

So today I ran MBAM with 5 Trojans quarantined. Here's the log:

Malwarebytes Anti-Malware
[You must be registered and logged in to see this link.]

Scan Date: 11/9/2014
Scan Time: 10:31:01 AM
Logfile: mb-log11-09-2014.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.09.05
Rootkit Database: v2014.11.08.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Mac

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 327361
Time Elapsed: 12 min, 24 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 3
Trojan.Agent, C:\Users\Mac\AppData\Local\Hewlett-Packard\Tityyzqxatcx.dll, , [12a746f3245837ff54e4f8e34db660a0],
Trojan.Agent, C:\Users\Mac\AppData\Local\Hewlett-Packard\Tityyzqxatcx.dll, , [12a746f3245837ff54e4f8e34db660a0],
Trojan.Agent, C:\Users\Mac\AppData\Local\Hewlett-Packard\Tityyzqxatcx.dll, , [12a746f3245837ff54e4f8e34db660a0],

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.Agent, HKU\S-1-5-21-1593586926-1402848401-3544549796-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Tityyzqxatcx, regsvr32.exe /s "C:\Users\Mac\AppData\Local\Hewlett-Packard\Tityyzqxatcx.dll", , [12a746f3245837ff54e4f8e34db660a0]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.Agent, C:\Users\Mac\AppData\Local\Hewlett-Packard\Tityyzqxatcx.dll, , [12a746f3245837ff54e4f8e34db660a0],

Physical Sectors: 0
(No malicious items detected)


(end)
----------------------------------------------------
Then I ran Norton Full scan and got 8 items quarrantined.
I just looked at the Security History for Norton and there were 11 listed-all Poweliks!gm (listed as High Risk) and all quarantined. I tried to run a quarantine report but it is a mcf file and needs something on line to interpret the file. When I go there to download the option offered, I get a window that says " Your current security settings do not allow this file to be downloaded! Know a good source for that?

WHy does poweliks keep attacking this computer and good thing that NOrton is blocking it....

So I ran the mrt again this after noon in the order that you had written and it completed after about 3 hours with no infections!

At the moment, the system sounds quiet and I haven't seen a lot of high usage warnings in the last few hours (but did earlier).

By the way, one of the things that keeps showing high usage (besides COM.surrogate) is Chrome. Chrome is not being used by anyone on this computer. No one on this computer uses gmail or any of the google associated services. Would it be OK to uninstall it?


OK...what next???


macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by Superdave on Mon 10 Nov 2014, 2:06 pm

Yes, uninstall it and any other programs that you're not using. You should consider installing MSE and disabling Norton for a few days to see if it will make any difference.

Superdave
Tech Staff


Tech Staff

Posts : 4192
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by macmanetz on Tue 11 Nov 2014, 6:39 am

Ok, I have to hit the road for a week, I will do the above upon my return so I can be on hand to monitor what is going on............don't close this thread out......thanks for your help...I shall return!

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by Superdave on Tue 11 Nov 2014, 7:05 am

Ok, have a safe trip.

Superdave
Tech Staff


Tech Staff

Posts : 4192
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by macmanetz on Sat 22 Nov 2014, 9:04 am

Ok, I'm back. My Dad (it's his computer with the issues) ran daily Norton quick scans and the one today said "Trojan.Poweliks!gm will be resolved with restart." so I restarted it and within a minute I got a Norton pop-up saying that Norton had blocked: " System Infected: Trojan.Poweliks Activity" Does that mean that Norton was just doing it's job and stopped the infection? It did it's job?

I have not switched out Norton for MSE (yet).
I did uninstall Chrome and both the unused Google & Yahoo tool bars.

I ran a updated MBAM scan and the report was No malicious items were detected.

Yesterday during my brief visit, my Dad said that he could not download the attachments from Yahoo that I had emailed him using IE. It worked in Firefox but not in IE. So after an internet search tracked the problem to his settings in IE in which the download files options were disabled!! I enabled it and tested it on the emails and all worked well. In light of that, I would like to backup here to try to scan the machine with ESET OnlineScan, again (which I had problems with to begin with). Would this be OK to do?

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by Superdave on Sat 22 Nov 2014, 9:54 am

Does that mean that Norton was just doing it's job and stopped the infection? It did it's job?
Yes, they like to brag about how good they are.
my Dad said that he could not download the attachments from Yahoo that I had emailed him using IE. It worked in Firefox but not in IE. So after an internet search tracked the problem to his settings in IE in which the download files options were disabled!! I enabled it and tested it on the emails and all worked well. In light of that, I would like to backup here to try to scan the machine with ESET OnlineScan, again (which I had problems with to begin with). Would this be OK to do?.
Excellent work and yes, try to run ESET again.

Superdave
Tech Staff


Tech Staff

Posts : 4192
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by macmanetz on Mon 24 Nov 2014, 3:35 am

After going to IE>settings>Internet Options>Security Tab> Pressed "Reset all zones to default level" button (a solution that I found on line), I was FINALLY    able to get ESET to carry on with the scan!! After 6 hours over night, it is finally done, but there are a few options that are not mentioned in your instructions that I need help with:

1. FYI-Before the scan, I had to choose between (or it would not let me proceed with the START button) :
>Enable detection of potentially unwanted applications or
>Disable detection of potentially unwanted applications

I chose the Enable option.

2.Now on the final screen before pressing the FINISH button, there are 2 options:
> Uninstall application on close
>Delete quarantined files

I think I want to check the Uninstall one and since I chose "Enable detection of potentially unwanted applications" would it be wise to delete quarantine files since they might be only POTENTIALLY unwanted? or should I go ahead and delete them all? Should I check this box? Further info:

I have the ESET final window still open until I hear from you as to what to do.

I can access the log in the ESET folder and this is all it said (maybe because I haven't hit the FINISH button?):
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK


I noticed a folder within the ESET folder titled Quarantine and looked in it.  It contains 55 items(all a bunch of numbers) but the scan results said it had found 31 "infected files. (Again, maybe the discrepency is to the fact of not hitting the FINISH button and not finalizing the scan? Maybe the log will be different after I do this?) 29 of the infected files seem to be in Adware Cleaner Quarantine and of the other 2, one is related to Chrome which I just deleted the whole App and the other is related to Mozilla Extensions & Rival Gaming which my Dad does not play games!!  
So should I check the "Delete Quarantine files" in the ESET Final window??

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by Superdave on Mon 24 Nov 2014, 8:39 am

I think I want to check the Uninstall one and since I chose "Enable detection of potentially unwanted applications" would it be wise to delete quarantine files since they might be only POTENTIALLY unwanted? or should I go ahead and delete them all? Should I check this box? Further info:
Yes, uninstall the app. You wont' need it again, I hope. If you chose uninstall, the quarantined files will be gone when the program is uninstalled.
I noticed a folder within the ESET folder titled Quarantine and looked in it. It contains 55 items(all a bunch of numbers) but the scan results said it had found 31 "infected files. (Again, maybe the discrepency is to the fact of not hitting the FINISH button and not finalizing the scan? Maybe the log will be different after I do this?) 29 of the infected files seem to be in Adware Cleaner Quarantine and of the other 2, one is related to Chrome which I just deleted the whole App and the other is related to Mozilla Extensions & Rival Gaming which my Dad does not play games!!
Correct, most of the files are already quarantined by another program.

Superdave
Tech Staff


Tech Staff

Posts : 4192
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by macmanetz on Mon 24 Nov 2014, 8:54 am

Done.
Rebooted.
ESET folder is gone so no further info for the log (because it is gone also!!!)
What now?

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by Superdave on Mon 24 Nov 2014, 9:02 am

How's your computer working now?

Superdave
Tech Staff


Tech Staff

Posts : 4192
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by macmanetz on Sat 29 Nov 2014, 7:19 am

Sorry about the delay but it gave me a few days to monitor the computer. It seems to running fine and smoothly. Is there any last thing that I need to do? I still have JRT and MBAR on the desktop......

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by Superdave on Sat 29 Nov 2014, 7:31 am

That's good. We can do some clean up and we'll be finished.

Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
*****************************************************
This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

  • Activate UAC (optional; some users prefer to keep it off)
  • Remove disinfection tools
  • Create Registry backup
  • Purge System Restore Points
  • Re-set system settings

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.
**********************************************************************
I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Superdave
Tech Staff


Tech Staff

Posts : 4192
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by macmanetz on Tue 02 Dec 2014, 8:30 am

I did the Disk Cleanup, and downloaded Delfix and ran it. Mbar icon is still on the desktop even after running Delfix twice. I can't find the main program of mbar and when I right click on it can not find anyway to uninstall it.....what should I do?

macmanetz

Rookie Surfer
Rookie Surfer

Posts : 53
Joined : 2010-02-24
Operating System : Windows 8.1

View user profile

Back to top Go down

Re: Trojan.powerliks!gm-I think

Post by Sponsored content Today at 11:15 pm


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum