Trojan & Web Attack attempts at startup

Topic

New Reply

Working on a Windows 7 Home Premium with Norton 360

Starting about a week ago, within a few seconds after startup Norton 360 reports it blocks Trojan.powelik activity, Trojan AdClicker activity & Web Attack. Fake Scan
— I should have taken better notes but if I remember correctly the first item had a severity rating of Low and the last 2 had a severity rating of High

Within the few seconds it takes Norton 360 to block them, the default security settings in Internet Options are changed to Custom Settings at least in the Internet Medium-High and Restricted sites High settings
— Also in each of those 2 cases Enable Protected mode is unchecked

After blocking them Norton 360 then reports the system is protected
I ran Disk Cleanup & AdwCleaner, which cleaned out a number of registry items
Upon allowing the computer to restart, those 3 items did not show up immediately but did so about 30 minutes later

For some background, the computer users play a lot of games, go on gambling sites and told me sometimes they get messages from some Facebook users that are questionable whatever that means.
— It wouldn’t surprise me if those attempted Trojan infections were because they are running on the coattails of from somewhere in there.

I’ll be going back there in a few days
I plan to check Enable Protected mode in both the default Internet Medium-High and Restricted sites High settings, as that’s what I have on my Win7 desktop & laptop computers

Checking Norton’s website, I found this
Norton™ Power Eraser https://security.symantec.com/nbrt/npe.aspx?lcid=1033
— Does anyone have experience on using that?
— I don’t recall the exact wording, but being careful of how to use it is mentioned

I have recommendations to use AutoRuns I think it is to see what actually is running in the background. Should I look into that or Sysinternals or another program?

HP EliteBook 8540w laptop Windows 10 Pro (x64)

Reply | Quote

Replies

Yes, I have used NPE but from a Google on that Trojan and https://community.norton.com/forums/trojan-poweliks-and-adclicker-removal-help-please NPE won’t do it.

Scroll down to a post by Scotthoot dated 28 Oct 2014 for what worked for him

I also favour Process Explorer over Autoruns because it includes VirusTotal and you can see at a glance any red high value/~50 items. http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx and you need to run it as an admin.

Click on Options and ensure Verify Signatures is enabled and then hover over VirusTotal.com and check its box and then you will see which ones are verified and if any have the VirusTotal high red values.

If you want to try the bootable Kaspersky Rescue 10 Disk you can get it from http://support.kaspersky.co.uk/viruses/rescuedisk/main but it can take quite a number of hours for it to complete its scan and you need to Ethernet connect the affected machine to update its definitions, but hopefully, what worked for Scotthoot will also work for you.

ESET Online Scanner (which will be quicker than Kaspersky) may also find it http://www.eset.co.uk/Antivirus-Utilities/Online-Scanner

Click on Advanced and check all items except the proxy one then go into Norton’s Firewall settings and disable until next reboot immediately before hitting ESET’s Scan button.

Reply | Quote

Here is a link to another possible solution http://malwaretips.com/threads/trojan-adclicker-trojan-powelik-com-surrogate-etc.35975/

Reply | Quote

Problem solved: thank you
ESET Online Scanner http://www.eset.co.uk/Antivirus-Util…Online-Scanner

HP EliteBook 8540w laptop Windows 10 Pro (x64)

Reply | Quote

Problem solved: thank you
ESET Online Scanner http://www.eset.co.uk/Antivirus-Util…Online-Scanner

It is quite a thorough scanner and glad it worked for you.

Reply | Quote

I have a hard time understanding how come a paid Security Suite like Norton 360 couldn’t have done the job like EST did. I recommended to me friend he should consider ESET

HP EliteBook 8540w laptop Windows 10 Pro (x64)

Reply | Quote

I have a hard time understanding how come a paid Security Suite like Norton 360 couldn’t have done the job like EST did. I recommended to me friend he should consider ESET

You have a valid point but Norton did report blocking it and its repeated attempts could be as you suspect.

Reading through the article I’d linked and from what you say as to your friend’s habits, it’s possible it could have gotten in through an exploited PuP.

Norton tends not to recognize PuPs as threats because of their signatures, but it was interesting to note that MBAM was unable to pick this up either.

While Scanners probably look for similar signatures, each will have a few of their own which is demonstrated by the fact that ESET takes ~1¾hrs to complete, whereas the one time I ran Kaspersky Rescue 10 Disk, it took ~9.5hrs and is why some can and others can’t find a particular nasty.

Totally off topic – when I tried to use ALT+171 for the half symbol – got to ALT+17 and got a prompt asking if I wanted to stay or leave the page :confused:

Reply | Quote

Don’t online scanners assume one has an internet connection that is not part of a present problem? Sometimes I have to run Windows Repair (All in One) because one of the problems was I had no internet connection with the outside world. Both HD & online choices would be best.

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

You need to download the scanner and latest definitions so an internet connection is required somewhere. Offline scanners can be downloaded and burnt to CD / USB, but it’s still an internet connection first.

cheers, Paul

Reply | Quote

Hey Paul! Thanks for your gracious reply, I changed my post after realizing that I left off some stuff.

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

When i was working on my system having good Internet Speed, i suddenly got Trojan on computer screen. After getting that i ignore and close the window, but after sometimes it appears again and again. It was really very annoying situation for me. I became fedup and looked for suitable solution. When searching on the Internet for solution, I came across http://www.removepcadware.com/uninstall-trojanwin32comamegmb-how-to-completely-remove-trojanwin32comamegmb. Its activities are similar to the Trojan present in may computer. Here I also got best and effective solution to remove PC threats completely. It makes my task so easy and I could not get such suitable solution somewhere else. it can also be very useful for you. So you can try it for best and convenient solution.

Reply | Quote

When i was working on my system having good Internet Speed, i suddenly got Trojan on computer screen. After getting that i ignore and close the window, but after sometimes it appears again and again. It was really very annoying situation for me. I became fedup and looked for suitable solution. When searching on the Internet for solution, I came across http://www.removepcadware.com/uninstall-trojanwin32comamegmb-how-to-completely-remove-trojanwin32comamegmb. Its activities are similar to the Trojan present in may computer. Here I also got best and effective solution to remove PC threats completely. It makes my task so easy and I could not get such suitable solution somewhere else. it can also be very useful for you. So you can try it for best and convenient solution.

Welcome to the Lounge jesonjohn01

Glad that program was able to disinfect your system but if you read through this thread you will see a number of free effective anti-malware scanners referenced, that probably would have done the job without having to stick your hand in your pocket.

Reply | Quote

Excellent comments Sudo15; and one of their family members is pretty “clumsy” on how they use their computer (oh yes should I say I’m being polite on how I’m trying to describe that?)
— Anyway I have brought their issues up to date on that with them, what they decide to do we’ll see
— I was even willing to help them sign up with WindowsSecrets but that fell on deaf ears

In my original post I wasn’t aware that MBAM had been used and some infections had been found and were quarantined but I found out later. On Norton 360, although it reported that the websites were being blocked it was non-stop for about a week before my friend called me; plus I found out that within seconds the Internet Options the default security settings in Internet Options were changed to Custom Settings in the Internet and Restricted sites Enable Protected mode became unchecked in both cases. Since ESET cleaned out what they did, those settings do not revert back being unchecked or Custom settings. ESET took about 2 hours the first time it ran to find and remove all threats and there were plenty of them. My friend told me he has run ESET every day now and it’s finishing very quickly and no threats are being found anymore and Norton 360 isn’t reporting any more blocking

HP EliteBook 8540w laptop Windows 10 Pro (x64)

Reply | Quote

Hope your friend is checking the box to auto uninstall it each time.

I know it will take longer to initialize each time but it’s advertised (or used to be) as a one time free online scan, so regular use could get a response from ESET if left installed.

ESET has a services restore tool to reinstate services that can be stopped by an infection but as the machine is infection free, then it won’t be needed.

This is it if you want to bookmark it http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe (active download link).

Reply | Quote

Sudo,

Pardon me for being skeptical, but when the only post from a new user, written in somewhat stilted English, recommends a payware site from Delhi, whose website is also written in somewhat stilted English — I sense a spam.
I don’t intend to be xenophobic, but let’s see if the user posts again, on other topics.

Zig

Reply | Quote

Sudo,

Pardon me for being skeptical, but when the only post from a new user, written in somewhat stilted English, recommends a payware site from Delhi, whose website is also written in somewhat stilted English — I sense a spam.
I don’t intend to be xenophobic, but let’s see if the user posts again, on other topics.

Zig

You weren’t the only one who was sceptical because of the program being promoted I also sensed spam, but I decided to give the OP the benefit of the doubt and as this is an International forum, English isn’t always the first language and less than perfect can sometimes be the case.

I also suspected the program because I’ve never heard of SpyHunter and the manual steps for removing that Trojan seemed mild, they may not have completely removed it and anyone may have been tempted to download the program which could have been one of those fake scanners.

Reply | Quote

Zig, there are plenty of home-grown spams right here in the good ol’ USA 🙂 Your radar may be right — we wait and see…

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote