I am having issues with malware. Norton is reporting trohan.powelik

[vik singh]

I am having issues with Malware for about a month now. I tried running Norton and it keeps reporting trojan.powelik activity.

I am attaching scan log from FRST.

 

[argus]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

CloseProcesses:
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKU\S-1-5-21-2868615096-1154979062-3189246539-1000\...\MountPoints2: {aed87492-bff8-11e2-a665-806e6f6e6963} - D:\Setup.exe
HKU\S-1-5-21-2868615096-1154979062-3189246539-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-21-2868615096-1154979062-3189246539-1001\...\Run: [SearchProtection] => "C:\Users\pc101\AppData\Roaming\Search Protection\SearchProtection.EXE" /autostart
C:\Users\pc101\AppData\Roaming\Search Protection
HKU\S-1-5-21-2868615096-1154979062-3189246539-1001\...\MountPoints2: {aed87492-bff8-11e2-a665-806e6f6e6963} - D:\Setup.exe
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00032021.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00031866.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00030295.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00029490.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00026139.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00025804.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00025677.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00025288.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00024077.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00022663.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00021672.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00019207.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00018279.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00017578.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00016989.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00016674.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00016402.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00015317.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00014713.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00013207.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00012377.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00012120.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00011107.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00008984.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00008808.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00008755.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00008113.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00007682.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00006942.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00001735.tmp
2014-10-10 12:34 - 2014-10-10 12:34 - 01176168 ____T () C:\Windows\SysWOW64\00000199.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00028984.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00027584.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00025130.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00024961.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00024920.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00023856.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00023699.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00019228.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00018634.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00018410.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00018114.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00017922.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00017214.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00016293.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00015861.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00015602.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00012251.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00011774.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00011229.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00010824.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00010392.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00007877.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00007236.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00006428.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00006049.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00004848.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00004538.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00001908.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00001529.tmp
2014-10-10 10:36 - 2014-10-10 10:36 - 01176168 ____T () C:\Windows\SysWOW64\00000398.tmp
2014-10-10 10:35 - 2014-10-10 10:35 - 01176168 ____T () C:\Windows\SysWOW64\00013300.tmp
EmptyTemp:

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

 

[vik singh]

I ran the fixlist and ran frst. Please find the log

 

[argus]

Is everything ok now?

 

[vik singh]

Seems like its OK. I will watch for a day and report back here.

Thanks a lot.

 

[argus]

OK.