Krusty
Logging Assistant
In Oz
Posts: 2,330
|
Post by Krusty on Nov 22, 2014 12:47:50 GMT -8
Have another read of the instructions.
|
|
|
Post by tomisgood on Nov 22, 2014 14:21:46 GMT -8
|
|
Krusty
Logging Assistant
In Oz
Posts: 2,330
|
Post by Krusty on Nov 22, 2014 16:51:52 GMT -8
Good job!
Please wait patiently for a Malware Removalist to get to you. As you can see they are very busy at the moment so you could be in for a lengthy wait. There are over 300 machines being worked on at this time.
Please avoid bumping your thread as this will push it futher down the list.
Thanks.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Dec 10, 2014 21:03:43 GMT -8
Are you able to re upload the logs??
Quads
|
|
|
Post by tomisgood on Dec 11, 2014 17:49:19 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Dec 11, 2014 18:41:23 GMT -8
I have tested by infecting my system with Poweliks
The Symantec Removal tool for Poweliks, which only targets Poweliks does work successfully at dealing with the Registry key
It only targets Poweliks in the registry, so if your system has Tracur, Cidox, Zeroaccess or a Ransomcrypt (like Cryptowall), it will not target any of those
Windows 64 Bit tool Download here.Windows 32 bit tool Download here I will allow users that turn up aor are already here to use it to break Poweliks, so their system settles down, the FRST logs just looks different with the possible <=== ATTENTION for the parent keyQuads
|
|
|
Post by tomisgood on Dec 11, 2014 19:45:21 GMT -8
When I try to download, I get a message saying that my current security settings do not allow for the download. What do i need to disable. Thanks again.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Dec 11, 2014 19:46:32 GMT -8
For the infected Machine and IE Each time before downloading until Poweliks is broken, once broken do it once more and it should stay there. Start Internet Explorer. Click Tools ยป Options.Click on the Security tab. Select the Internet Zone. Click on the Custom Level button Click OK. If Norton detects FRST then just disable SONAR, keep the Firewall turned on Quads
|
|
|
Post by tomisgood on Dec 12, 2014 16:51:02 GMT -8
Possible infected key found: \REGISTRY\USER\S-1-5-21-2513406186-4286698835-897515972-1001\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\a Attempting to remediate Trojan.Poweliks Process dllhost.exe has been terminated. Process dllhost.exe has been terminated. Process dllhost.exe has been terminated. Process dllhost.exe has been terminated. Trojan.Poweliks processes successfully stopped The following registry value has been deleted: \\REGISTRY\USER\S-1-5-21-2513406186-4286698835-897515972-1001\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\"a" The following registry value has been deleted: \\REGISTRY\USER\S-1-5-21-2513406186-4286698835-897515972-1001\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\"" Trojan.Poweliks keys successfully removed Trojan.Poweliks has been successfully remediated
Anything further?
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Dec 12, 2014 16:53:09 GMT -8
Delete your copy of addition.txt that is on the Desktop, Then
Start FRST, run a scan to create 2 new logs to post back here.
Quads
|
|