The FRST and Addition attachments were made earlier today. The computer is worse now. I tried to download Farbar Recovery Scan Tool again, and the computer won't let me download it and it's gone from the computer. It changed my windows firewall such that it won't let me download the file, and it won't let me change the settings. If you need newer scans attached, let me know, and I can try to do it in safe mode with networking. I am going to post this while I can and then go to safe mode to try to get the rest of the scans you need and attach them in a reply.
Powelik and AdClicker Trojans and more
- Thread starter Toni Cookson
- Start date
- Mar 8, 2013
- 22,627
Hello,
They call me TwinHeadedEagle around here, and I'll be working with you.
Before we start please read and note the following:
Rules and policies
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
Scan with ComboFix
This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!
Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Include that log in your next reply.
If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
They call me TwinHeadedEagle around here, and I'll be working with you.
Before we start please read and note the following:
- At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
- Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
- Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
- Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
- All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
- If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
- I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
- Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
- Please attach all report using
button below. Doing this, you make it easier for me to analyze and fix your problem.
- Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
- If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!
Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
- Right-click on
icon and select
Run as Administrator to start the tool.
- Accept the disclaimer and agree if prompted to install Recovery Console.
- Do not take any actions while ComboFix goes through your System - it may cause it to stall!
- This scan may take some time!
- When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).
Include that log in your next reply.
If I boot normally, the trojans/viruses hijack my internet browsers so I cannot go to any sites I want to go to such as this one, email, or the download sites. When I boot in safe mode with networking, I can go to the site to download ComboFix; however, it wants me to download 7Zip or Zip7 whichever it is, which I try to do and have saved to the computer, but it doesn't actually run to completion. I thought it did and started to download Combo Fix, but again and again it sends me to 7Zip to download it first.
Should I go buy a thumb drive to attempt to download it on? or are there possibly any other settings I'm missing in safe mode? Will it not work in safe mode with networking? Is there any way to get past the hijacked interenet browers? I'm typing this froman old laptop I have.
Should I go buy a thumb drive to attempt to download it on? or are there possibly any other settings I'm missing in safe mode? Will it not work in safe mode with networking? Is there any way to get past the hijacked interenet browers? I'm typing this froman old laptop I have.
Last edited:
Update: I reset my internet modem/box, and now can't get on internet on that computer at all. It shows me connected, but whenever I try to go to any internet site through my interenet browsers, instead of saing the site name can't be recognized (like before the reset, I would type in this site and it would say cannot recognize and give some weird characters for the site name - possibly chinese or ?), now it says cannot connect to proxy server. I tried the wireless connection too.
Obviously I have a good internet connection, because I am using the wirelsess connection on this old laptop which is sitting right next to my desktop computer.
If worst comes to worst, I am willing to buy a full copy of windows 8 on disc (although I'm not sure I'll like windows 8), move important programs to my external hard drive, and wipe my drives by installing the fresh windows 8. That would be my worst case scenario, but doable.
I'm hoping there is a way to get this working in safe mode with networking or with a thumb drive (although I'm not sure it will let me load it not in safe mode), or some other way.
Obviously I have a good internet connection, because I am using the wirelsess connection on this old laptop which is sitting right next to my desktop computer.
If worst comes to worst, I am willing to buy a full copy of windows 8 on disc (although I'm not sure I'll like windows 8), move important programs to my external hard drive, and wipe my drives by installing the fresh windows 8. That would be my worst case scenario, but doable.
I'm hoping there is a way to get this working in safe mode with networking or with a thumb drive (although I'm not sure it will let me load it not in safe mode), or some other way.
Last edited:
- Mar 8, 2013
- 22,627
You do not need 7zip to download ComboFix.
You go and download if from this link --> http://www.bleepingcomputer.com/download/combofix/
You go and download if from this link --> http://www.bleepingcomputer.com/download/combofix/
I will try again, but on the infected computer it has hijacked my internet browsers, and I cannot get to any sites of my choosing. In safe mode I was using the link youprovided which when I hit dowload to dowload Combofix would instead take me to 7Zip stating it was required. It would never let me download Combofix when I hit dowload on the combofix link. Will try again and let you know.
I went on the computer in safe mode with networking. I didn't think this is possible, but it won't let me go to sites I want to go to. What happens is that I type a letter say "m" but then it takes my cursor off and flashes various boxes such as the undo, cut, copy paste, delete, ect box of some other box like that. I fight my way through continuing to reclick on the address or search box, and sometimes it takes me to the list of program fild. I then hit the next letter key and nothing happens. I hit it again, and nothing happens. I keep clicking on the address bar or search bar (whichever I am using) and try to type the next letter in malwaretips.com. I can't get it to type this address. I didn't think this was possible in safe mode with networking. I don't know what to do. It won't let me do anything. period. It also makes th ekeyboard lights flash sometimes off and on, off and on, but not always. When i hit internet explorer in safe mode with networking, it briefly says this at the top:
https//searchyahoo.com/whs/web?hspart=w3i&hsimp=yhs-syctransfer&type=w3i_sp,204,0_0,StartPage - Internet Explorer
or something very close to that.
https//searchyahoo.com/whs/web?hspart=w3i&hsimp=yhs-syctransfer&type=w3i_sp,204,0_0,StartPage - Internet Explorer
or something very close to that.
- Mar 8, 2013
- 22,627
Let's try with this tool. If it fails again, then you'll need to borrow pen drive and to transfer it on infected PC.
Download
Malwarebytes Anti-Rootkit to your desktop.
Download
- Double-click the icon to start the tool.
- It will ask you where to extract it, then it will start.
- Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
- Click in the introduction screen "next" to continue.
- Click in the following screen "Update" to obtain the latest malware definitions.
- Once the update is complete select "Next" and click "Scan".
- When the scan is finished and no malware has been found select "Exit".
- If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
- Open the MBAR folder and paste the content of the following files in your next reply:
- "mbar-log-{date} (xx-xx-xx).txt"
- "system-log.txt"
The problem I'm having is that I can only get to malwaretips.com, or my email: yahoo.com, or any of the links provided on a non-infected computer. My infected computer has basically been completely hijacked. It will not allow me to go to any websites of any kind. I don't think it will allow me to download anything either, but this I'm not completely sure about. I do know, though, that it has made it impossible for me to go to any website I want to go to. I'm at work now, so just in case, on my way home from work, I will buy a flash drive. I will try again when I get home, although, I know it wouldn't let me get to any website this morning at all. Then I will reply about my success or lack thereof, and I'll have the flash drive just in case I need it.
I know this is a frustrating case. I've never heard of any Trojan/virus that does this. I really do appreciate all your help very much!
I know this is a frustrating case. I've never heard of any Trojan/virus that does this. I really do appreciate all your help very much!
- Mar 8, 2013
- 22,627
This evening, the computer has stopped it's antics for now. It's allowing me to type and go to websites. It's just so weird how sometimes it completely acts crazy and sometimes it doesn't. Anyway, I followed your link and tried to download it but am getting "Your current security settings do not allow this file to be downloaded." In internet options/security, I have downloads enabled. In security have medium and have the site listed as a trusted site. I disabled Norton 360's everything temporarily but I suddenly started getting warnings from Norton about blocking blackhole toolkit. If I disabled everything I could think of in Norton, wouldn't it have let that blackhole toolkit through? Windows is showing a firewall of some sort up but has all selections greyed out for me, so I can't change anything.
I am not sure how to get anything downloaded on this computer anymore. It is starting to act up again slowly as I'm typing this. I also tried safe mode with networking and got the same error.
It's like it has me locked out from downloading anything. It is now starting that tab nonsense while I am typing.
I am not sure how to get anything downloaded on this computer anymore. It is starting to act up again slowly as I'm typing this. I also tried safe mode with networking and got the same error.
It's like it has me locked out from downloading anything. It is now starting that tab nonsense while I am typing.
I unhooked it from the internet, and it seems quiet again. I am going to dowload the programs you mentioned onto a flash drive so it will be ready if you want me to try to run any of them off the flash drive.
- Mar 8, 2013
- 22,627
Attached are new logs. I am running Combofix now. Will attach a log fromit when it is fnished. I have not used any of them to clean or fix yet. I just got the logs. All of the logs but Combofix were run before Comboix was run.
Update: I see the combofix is deleting files,but I don't understand the files it is deleting. It's deleting the autorun.inf and setup.exe for my external backup drive. That is my fault since I accidentally left the exerternal backup drive plugged in. I quickly unplugged it when I saw what was happening. Now when I plug it into another computer it says it must be formatted in order to be used. Do you think any of the data is still there? If so, do you think it can be salvaged off the drive? I guess I'll be buying a new one and quickly making another backup of photos,videos, and important programs. Some of the data was not on the computer anymore and onlylocated on the backup drive. Hopefully I didn't lose that, but if I did, it's my own fault. I was tired this morning and didn't think about leaving it plugged in last night after I moved some family videos over to it from the computer.
It didn't show that it deleted anything else but a few temp files and the autorun and setup files for my backup drive. Then it said it was rebooting the machine. Then a file I don't recognize that doesn't show up under programs called Genieo said something like it was blocking an unauthorized change to the registry. I don't recognize this program at all; I didn't put this program on the computer.
Combofix rebooted the computer, and the log report is attached. The log states Norton360 was enabled, but Combofix gave me a warning about it at the beginning, and I disabled everthing in Norton360 before Combofix proceeded.
NOTE: The program called Genieo may have prevented cleanup of the registry or so it said in a warning that popped up. The warning stated "c:\users\wner\AppData\Roaming\Genieo\Application\Updater\bin\genupdater.exe
Illegal operation attempted on a registry key that has been marked for deletion."
I then ran new scans with FRST, AdwCleaner, and aswMBR that are attached as "after Combofix".
I found that I keep getting the warning in internet explorer when trying to download anything like Norton 360:
"Your current security settings do not allow this file to be downloaded."
However, I do not get this same error if downloading on google chrome.
I then had to uninstall and reinstall Norton 360 with the Norton removal tool.
I then removed Genieo from the computer through program uninstall on the control panel.
Update: I see the combofix is deleting files,but I don't understand the files it is deleting. It's deleting the autorun.inf and setup.exe for my external backup drive. That is my fault since I accidentally left the exerternal backup drive plugged in. I quickly unplugged it when I saw what was happening. Now when I plug it into another computer it says it must be formatted in order to be used. Do you think any of the data is still there? If so, do you think it can be salvaged off the drive? I guess I'll be buying a new one and quickly making another backup of photos,videos, and important programs. Some of the data was not on the computer anymore and onlylocated on the backup drive. Hopefully I didn't lose that, but if I did, it's my own fault. I was tired this morning and didn't think about leaving it plugged in last night after I moved some family videos over to it from the computer.
It didn't show that it deleted anything else but a few temp files and the autorun and setup files for my backup drive. Then it said it was rebooting the machine. Then a file I don't recognize that doesn't show up under programs called Genieo said something like it was blocking an unauthorized change to the registry. I don't recognize this program at all; I didn't put this program on the computer.
Combofix rebooted the computer, and the log report is attached. The log states Norton360 was enabled, but Combofix gave me a warning about it at the beginning, and I disabled everthing in Norton360 before Combofix proceeded.
NOTE: The program called Genieo may have prevented cleanup of the registry or so it said in a warning that popped up. The warning stated "c:\users\wner\AppData\Roaming\Genieo\Application\Updater\bin\genupdater.exe
Illegal operation attempted on a registry key that has been marked for deletion."
I then ran new scans with FRST, AdwCleaner, and aswMBR that are attached as "after Combofix".
I found that I keep getting the warning in internet explorer when trying to download anything like Norton 360:
"Your current security settings do not allow this file to be downloaded."
However, I do not get this same error if downloading on google chrome.
I then had to uninstall and reinstall Norton 360 with the Norton removal tool.
I then removed Genieo from the computer through program uninstall on the control panel.
Last edited:
- Mar 8, 2013
- 22,627
Good. Let's scan again:
Fix with AdwCleaner
Please download AdwCleaner by Xplode and save the file to your Desktop.
Please include the contents of that file in your reply.
Note: Reports will be saved in your system partition, usually at C:\Adwcleaner
Scan with Farbar Recovery Scan Tool
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
Please download AdwCleaner by Xplode and save the file to your Desktop.
- Right-click on
icon and select
Run as Administrator to start the tool.
- Wait until the database is updated.
- Accept the Terms of use and click Scan.
- When finished, please click Clean.
- Upon completion, click Report. A log (AdwCleaner[S*].txt) will open.
Please include the contents of that file in your reply.
Note: Reports will be saved in your system partition, usually at C:\Adwcleaner
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
- Right-click on
icon and select
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File). - Make sure that Addition option is checked.
- Press Scan button and wait.
- The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Thank you! I did as you said, and attached are my logs.
On the FRST3 log, I was concerned about the entry beginning at the 13th line under Internet which is the 5th searchscope that mentions http:\\search.genieo.com. I attempted to take genieo off the computer and want it off. Does this line mean it is still on the computer?
Also, under one-month created files and folders in the FRST3 log on the 32nd line down, I was wondering what c:\users\owner\Desktop\o.zip is? It suddently showed up on my desktop either yesterday or today.
On a good side note, I did dowload autorun and setup files for the external backup drive and it's working fine again. I did this on a different computer (noninfected).
On the FRST3 log, I was concerned about the entry beginning at the 13th line under Internet which is the 5th searchscope that mentions http:\\search.genieo.com. I attempted to take genieo off the computer and want it off. Does this line mean it is still on the computer?
Also, under one-month created files and folders in the FRST3 log on the 32nd line down, I was wondering what c:\users\owner\Desktop\o.zip is? It suddently showed up on my desktop either yesterday or today.
On a good side note, I did dowload autorun and setup files for the external backup drive and it's working fine again. I did this on a different computer (noninfected).
- Mar 8, 2013
- 22,627
We will try to remove all leftovers now. How is your PC now?
Fix with Farbar Recovery Scan Tool
This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.
Download attached fixlist.txt file and save it to the Desktop:
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
Please attach it to your reply.
Download attached fixlist.txt file and save it to the Desktop:
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
- Right-click on
icon and select
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File). - Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.
- Mar 8, 2013
- 22,627
Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself 
MUST READ - security tips:
MUST READ - general maintenance:
In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.
Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.
TFC - to clean unneeded temporary files.
Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.
Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
McShield - to prevent infections spread by removable media.
Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
Adblock - to surf the web without annoying ads!
Download DelFix by Xplode and save it to your desktop.
Tool deletes old system restore points and create a fresh system restore point after cleaning.
Stay safe,
TwinHeadedEagle
Recommended reading:
- Computer Security - a short guide to staying safer online.
- Simple and easy ways to keep your computer safe and secure on the Internet
The Importance of Software Updating:
In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.
Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.
Recommended additional software:
Post-cleanup procedures:
Download DelFix by Xplode and save it to your desktop.
- Run the tool by right click on the
icon and Run as administrator option.
- Make sure that these ones are checked:
- Remove disinfection tools
- Purge system restore
- Reset system settings
- Push Run and wait until the tool completes his work.
- All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)
Tool deletes old system restore points and create a fresh system restore point after cleaning.
My help is free for everybody.
If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:
Thank you!
If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:
Thank you!
Stay safe,
TwinHeadedEagle
Similar threads
