Solved Just found trojan.powelink

[Jeff W]

I tried downloading the FRST, but it was a mess. Not sure what I need to turn off, but all the stuff that happened scared me.

 

[argus]

Disable AV

http://www.bleepingcomputer.com/forums/topic114351.html

 

[Jeff W]

Here are the files. Thanks.

 

[argus]

Download

Malwarebytes Anti-Rootkit to your desktop.

• Double-click the icon to start the tool.
• It will ask you where to extract it, then it will start.
• Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
• Click in the introduction screen "next" to continue.
• Click in the following screen "Update" to obtain the latest malware definitions.
• Once the update is complete select "Next" and click "Scan".
• When the scan is finished and no malware has been found select "Exit".
• If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
• Open the MBAR folder and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"

Scan with Farbar Recovery Scan Tool
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

 

[Jeff W]

Ok, finally done. The anti-rootkit found a couple things and cleaned them. Here's the files... What would the svchost.exe be? I got it a long time ago via Symantec and blocked it. IF I need it can I unblock?

 

[argus]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[Jeff W]

Ok, here it is.

 

[argus]

How is the situation now?

 

[Jeff W]

Seems a lot better. No further Trojan or malicious IP notifications. On the svchost.exe notifications, any ideas? Having a problem retaining cookies of trusted favorites.

 

[argus]

FRST search

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 the same way:

• Copy svchost.exe into the Search: field in FRST then click the Search Files button.
• FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
• Please attach it to your reply.

 

[Jeff W]

Here it is.

 

[argus]

All svchost.exe are legitimate.
It was a false positive.

 

[argus]

Maybe reinstall Norton or other AV.

 

[argus]

md5

C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2009-07-13 17:19][2009-07-13 19:14] 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe
[2009-07-13 17:31][2009-07-13 19:39] 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D [File is signed]

C:\Windows\SysWOW64\svchost.exe
[2009-07-13 17:19][2009-07-13 19:14] 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866 [File is signed]

C:\Windows\System32\svchost.exe
[2009-07-13 17:31][2009-07-13 19:39] 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D [File is signed]

C:\Program Files (x86)\Malwarebytes Anti-Malware\Chameleon\Windows\svchost.exe
[2014-12-13 08:34][2014-11-21 06:12] 0761656 ____A (MalwareBytes) 625BB08813743947985B0DEEFC35ED12 [File is signed]

You can check the Virus Total - search options
https://www.virustotal.com/

 

[Jeff W]

Cool. Thanks, Argus. Things look good.