Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Dec 16, 2014 18:03:48 GMT -8
Can you re upload the FRST logs??
Quads
|
|
|
Post by glamdrung on Dec 17, 2014 0:15:12 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Dec 17, 2014 21:31:09 GMT -8
I have tested by infecting my system with Poweliks
The Symantec Removal tool for Poweliks, which only targets Poweliks does work successfully at dealing with the Registry key
It only targets Poweliks in the registry, so if your system has Tracur, Cidox, Zeroaccess or a Ransomcrypt (like Cryptowall), it will not target any of those
Windows 64 Bit tool Download here.Windows 32 bit tool Download here I will allow users that turn up aor are already here to use it to break Poweliks, so their system settles down, the FRST logs just looks different with the possible <=== ATTENTION for the parent keyAND / Or This one www.eset.com/int/download/utilities/detail/family/252/Quads
|
|
|
Post by glamdrung on Dec 18, 2014 11:24:40 GMT -8
I installed and ran ESET. Is it supposed to be instantaneous (i.e. no scanning files like the other tool)? I was having an episode happen right as I was running it and it cleared up. Edit: Here is the log: ESETPoweliksCleaner.exe_20141218.141854.5244.log
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 6, 2015 21:59:03 GMT -8
Delete your copy of addition.txt that is on your Desktop, Then
Start FRST, Run a Scan to create 2 new logs to post back here.
Quads
|
|
|
Post by glamdrung on Jan 19, 2015 20:09:27 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 19, 2015 20:21:10 GMT -8
Press the + R Keys on your keyboard at the same time. Type notepad and click OK. Copy the entire content of the codebox below and paste into the notepad (Including start and end) start HKU\S-1-5-19\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION HKU\S-1-5-20\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION HKU\S-1-5-21-2188338816-3494402152-3963806504-1000\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION HKU\S-1-5-21-2188338816-3494402152-3963806504-1001\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION HKU\S-1-5-21-2188338816-3494402152-3963806504-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://Vosteran.com/?f=1&a=vst_dnldstr_14_47_ie&cd=2XzuyEtN2Y1L1QzutDtDtBtCyBtDyD0FyDtAyBzztDzz0CzztN0D0Tzu0StCtDyDyCtN1L2XzutAtFyCtFyCtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StAzy0F0C0F0BtB0FtG0Dzy0E0AtGtC0D0DtDtG0E0CyEtBtGtCtA0DyCyC0CyB0Dzz0EtBtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0ByDtB0Czy0ByEtGtA0EtCtCtGyEyEyEtBtGzz0AtA0CtG0DyEtA0EyEzzzyyCtA0CyDyD2Q&cr=486887642&ir= SearchScopes: HKLM -> DefaultScope {2FB88539-7CC5-4C61-B284-D7621700919E} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_dnldstr_14_47_ie&cd=2XzuyEtN2Y1L1QzutDtDtBtCyBtDyD0FyDtAyBzztDzz0CzztN0D0Tzu0StCtDyDyCtN1L2XzutAtFyCtFyCtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StAzy0F0C0F0BtB0FtG0Dzy0E0AtGtC0D0DtDtG0E0CyEtBtGtCtA0DyCyC0CyB0Dzz0EtBtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0ByDtB0Czy0ByEtGtA0EtCtCtGyEyEyEtBtGzz0AtA0CtG0DyEtA0EyEzzzyyCtA0CyDyD2Q&cr=486887642&ir= SearchScopes: HKLM -> {2FB88539-7CC5-4C61-B284-D7621700919E} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_dnldstr_14_47_ie&cd=2XzuyEtN2Y1L1QzutDtDtBtCyBtDyD0FyDtAyBzztDzz0CzztN0D0Tzu0StCtDyDyCtN1L2XzutAtFyCtFyCtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StAzy0F0C0F0BtB0FtG0Dzy0E0AtGtC0D0DtDtG0E0CyEtBtGtCtA0DyCyC0CyB0Dzz0EtBtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0ByDtB0Czy0ByEtGtA0EtCtCtGyEyEyEtBtGzz0AtA0CtG0DyEtA0EyEzzzyyCtA0CyDyD2Q&cr=486887642&ir= SearchScopes: HKU\S-1-5-21-2188338816-3494402152-3963806504-1000 -> DefaultScope {2FB88539-7CC5-4C61-B284-D7621700919E} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_dnldstr_14_47_ie&cd=2XzuyEtN2Y1L1QzutDtDtBtCyBtDyD0FyDtAyBzztDzz0CzztN0D0Tzu0StCtDyDyCtN1L2XzutAtFyCtFyCtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StAzy0F0C0F0BtB0FtG0Dzy0E0AtGtC0D0DtDtG0E0CyEtBtGtCtA0DyCyC0CyB0Dzz0EtBtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0ByDtB0Czy0ByEtGtA0EtCtCtGyEyEyEtBtGzz0AtA0CtG0DyEtA0EyEzzzyyCtA0CyDyD2Q&cr=486887642&ir= SearchScopes: HKU\S-1-5-21-2188338816-3494402152-3963806504-1000 -> {2FB88539-7CC5-4C61-B284-D7621700919E} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_dnldstr_14_47_ie&cd=2XzuyEtN2Y1L1QzutDtDtBtCyBtDyD0FyDtAyBzztDzz0CzztN0D0Tzu0StCtDyDyCtN1L2XzutAtFyCtFyCtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StAzy0F0C0F0BtB0FtG0Dzy0E0AtGtC0D0DtDtG0E0CyEtBtGtCtA0DyCyC0CyB0Dzz0EtBtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0ByDtB0Czy0ByEtGtA0EtCtCtGyEyEyEtBtGzz0AtA0CtG0DyEtA0EyEzzzyyCtA0CyDyD2Q&cr=486887642&ir= FF user.js: detected! => C:\Users\Triplett\AppData\Roaming\Mozilla\Firefox\Profiles\m50qhf49.default\user.js C:\Users\Carol\AppData\Local\Temp\msg2A6A.exe C:\Users\Carol\AppData\Local\Temp\msg3533.exe C:\Users\Carol\AppData\Local\Temp\msg8075.exe C:\Users\Carol\AppData\Local\Temp\msgEF6C.exe C:\Users\Carol\AppData\Local\Temp\_dzloiou.dll C:\Users\Larry\AppData\Local\Temp\FlashPlayerUpdate.exe C:\Users\Larry\AppData\Local\Temp\FlashPlayerUpdate01.exe C:\Users\Triplett\AppData\Local\Temp\jre-6u17-windows-i586-iftw-rv.exe C:\Users\Triplett\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe C:\Users\Triplett\AppData\Local\Temp\vmw.exe end Click File, Save As and type fixlist (.txt may be seen on the end depending on the system setup) as the File Name. Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
Right-click on icon and select Run as Administrator to start FRST. (XP users click run after receipt of Windows Security Warning - Open File). Press the button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop, called Fixlog.txt. To paste or attach back here Quads
|
|
|
Post by glamdrung on Jan 24, 2015 23:54:31 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 25, 2015 0:05:08 GMT -8
Read carefully
Download Adwcleaner www.bleepingcomputer.com/download/adwcleaner/ on to your desktop The Blue Download Now @bleeping Computer button and run a scan ( Scan Button). It will create a log after. Or there is a Report button, ONE SCAN ONLY
Attach or paste the log back here Quads
|
|
|
Post by glamdrung on Jan 27, 2015 16:08:04 GMT -8
[URL=http://wikisend.com/download/271758/AdwCleaner[R0].txt]AdwCleaner.txt[/URL]
|
|