Help with trojan please

[dkman]

I got the Trojan while browsing the web, the computer started to slow down, it started downloading small files, by the time I noticed it, it downloaded about 2 gigs worth of files.

scanned it with roguekiller, it showed the poweliks Trojan, unfortunately I cant get rid of the container , it keeps coming back,  I used MSE , malwarebytes, JRT, ESET, ADWcleaner.

Thank you for the help!

Here are the farbar files:

 

 

 

FRST.txt

Addition.txt

[Psychotic]

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  

• Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.
  

 

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

• Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  
  • Sections
  • IAT/EAT
  • Show All ( should be unchecked by default )
    

  [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.
  

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop

• Execute TDSSKiller.exe by doubleclicking on it.
• Press Start Scan
  
• If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  
• Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
  

Please attach this file to your next reply.

[dkman]

Hello,

When I start gmer.exe I get a msg: C:\windows\system32\config\system: the process cannot access the file because it is being used by another process. I restarted the comp, same msg, I clicked OK, than started the scan anyway, same msg, the scan stopped at c:\windows\system32\svchost.exe [4924:4936]       value  0000000000514c28 unknown mbr code

 

thanks

[Larusso]

Hello.

 

Unfortunaly, Marius is away for a few days so I'll continue to help you with your problem until he is back.

Please note that I attend a part time school so I am not able to reply on Thuesdays and Wednesdays ( today no school )

 

 

Please move on with TDSSKiller as instructed by Psychotic above.

Please post the most recent logfile of Malwarebytes and RogueKiller longside the TDSSKiller logfile in your next reply.

[dkman]

RogueKiller V10.0.3.0 (x64) [Oct 16 2014] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.comOperating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : User [Administrator]Mode : Scan -- Date : 10/23/2014  01:42:11¤¤¤ Processes : 2 ¤¤¤[Proc.Svchost] svchost.exe -- C:\Windows\system32\svchost.exe[7] -> Killed [TermProc][Proc.Svchost] svchost.exe -- C:\Windows\SysWow64\svchost.exe[7] -> Killed [TermThr]¤¤¤ Registry : 2 ¤¤¤[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-4064046353-3257964622-1369037010-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/#  -> Found[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-4064046353-3257964622-1369037010-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/#  -> Found¤¤¤ Tasks : 0 ¤¤¤¤¤¤ Files : 0 ¤¤¤¤¤¤ Hosts File : 1 ¤¤¤[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost¤¤¤ Antirootkit : 2 (Driver: Loaded) ¤¤¤[IAT:Addr] (iexplore.exe @ MSHTML.dll) USER32.dll - GetCursorPos : C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll @ 0x1000ad50[IAT:Addr] (iexplore.exe @ MSHTML.dll) USER32.dll - GetCursorPos : C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll @ 0x1000ad50¤¤¤ Web browsers : 1 ¤¤¤[PUM.HomePage][FIREFX:Config] k12pkvb1.default : user_pref("browser.startup.homepage", "https://www.facebook.com/"); -> Found¤¤¤ MBR Check : ¤¤¤+++++ PhysicalDrive0: WDC WD5000HHTZ-04N21V0 ATA Device +++++--- User ---[MBR] 49b179b6a0b4a60768b4d6d481afa5a4[BSP] 52e332d623548580e922deb9d56293db : Empty MBR CodePartition table:0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MBUser = LL1 ... OKUser = LL2 ... OK+++++ PhysicalDrive1: ADATA SSD S510 120GB ATA Device +++++--- User ---[MBR] 80686f8f8d5a315b1a1a97e3309bf780[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR CodePartition table:0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 114473 MBUser = LL1 ... OKUser = LL2 ... OK============================================RKreport_DEL_10192014_092940.log - RKreport_DEL_10192014_093027.log - RKreport_DEL_10192014_110618.log - RKreport_DEL_10192014_113657.logRKreport_DEL_10192014_121502.log - RKreport_DEL_10192014_122607.log - RKreport_DEL_10192014_195110.log - RKreport_DEL_10192014_212522.logRKreport_DEL_10202014_085708.log - RKreport_DEL_10202014_090005.log - RKreport_DEL_10202014_101725.log - RKreport_DEL_10202014_142647.logRKreport_DEL_10202014_170248.log - RKreport_DEL_10202014_230751.log - RKreport_DEL_10212014_010731.log - RKreport_DEL_10212014_083630.logRKreport_DEL_10212014_234612.log - RKreport_DEL_10212014_234635.log - RKreport_DEL_10222014_090812.log - RKreport_DEL_10222014_104051.logRKreport_DEL_10222014_220624.log - RKreport_SCN_10192014_092738.log - RKreport_SCN_10192014_110448.log - RKreport_SCN_10192014_113559.logRKreport_SCN_10192014_121414.log - RKreport_SCN_10192014_122202.log - RKreport_SCN_10192014_194839.log - RKreport_SCN_10192014_212205.logRKreport_SCN_10202014_085652.log - RKreport_SCN_10202014_085948.log - RKreport_SCN_10202014_101613.log - RKreport_SCN_10202014_142624.logRKreport_SCN_10202014_170059.log - RKreport_SCN_10202014_225033.log - RKreport_SCN_10212014_010444.log - RKreport_SCN_10212014_083333.logRKreport_SCN_10212014_234438.log - RKreport_SCN_10222014_090717.log - RKreport_SCN_10222014_104024.log - RKreport_SCN_10222014_220554.log

Hello,

The virus is still there ,it opens the backdoor for other malware, it keeps downloading 100s of small files, and it also reduces MTUs for its own purpose, the only one detects it is rougekiller but even that cant get rid of it.

roguekiller:

 

 

[dkman]

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 10/23/2014Scan Time: 1:49:52 AMLogfile: Administrator: YesVersion: 2.00.3.1025Malware Database: v2014.10.23.02Rootkit Database: v2014.10.22.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: UserScan Type: Threat ScanResult: CompletedObjects Scanned: 321413Time Elapsed: 4 min, 14 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end)

malwarerbytes cant see anything:

[Larusso]

Hy.

I still need the TDSSKiller Logfile

[dkman]

TDSS cant see anything, still there, downloading files, and contacting outside websites, if I leave it long enough it will make changes to explorer, so I cant download any files (internet option,security,custom level)

right now I am using wise care 365, to delete the files and reset the MTU, and reverse the changes--> invalid registry items...etc. MSE reports after scanning  that there is a potentially malicious software in the system, but shows nothing in the results.

The post was too long, it would not let me post it, so I attached it.

 

thanks

TDSSKiller.3.0.0.40_23.10.2014_11.37.19_log.txt

[Larusso]

Hy there and sorry for the delay.
My research tell me that Wise Care is a kind of tuning software. You really do not need such tools but it is up to you to keep it or not.
 
You also ran a lot of tools without a supervisior. This makes it a little bit harder for me to find the source of your problem.

• Please download the attached fixlist.txt file and save it to the same location as FRST
  Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
• 
  fixlist.txt
•  
• Run FRST.exe/FRST64.exe and press the Fix button just once and wait
• If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
• When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

 

 

 

Please delete your current version of Combofix.exe

 

 

 

 

• Please download ComboFix from here
   
  * IMPORTANT- Save ComboFix.exe to your Desktop
  
  ====================================================
  
  Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications
  
  ====================================================
  
  Double click on combofix.exe & follow the prompts.
  When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
  NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[dkman]

Hello,

I could not get rid of the rootkit, so I ended up reinstalling windows.

thank you for your help!

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.