Krusty
Logging Assistant
In Oz
Posts: 2,330
|
Post by Krusty on Nov 6, 2014 15:10:00 GMT -8
Please wait patiently for a Malware Removalist to get to you. As you can see they are very busy at the moment so you could be in for a lengthy wait. There are around 200 machines being worked on at this time.
Thanks.
|
|
yelc
New Helpee
Posts: 19
|
Post by yelc on Nov 7, 2014 9:52:45 GMT -8
Great
|
|
|
Post by delphie on Nov 7, 2014 9:56:16 GMT -8
As the removalists are working from the oldest to the newest, you were in a better position before you posted. It will take longer for you to get assistance if you accidentally bump yourself to the front.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 11, 2014 22:02:06 GMT -8
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST that is on the desktop When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
Quads
|
|
yelc
New Helpee
Posts: 19
|
Post by yelc on Nov 12, 2014 6:40:19 GMT -8
Thanks Quads, hopefully this darn Trojan is getting a little easier for you to generate repair scripts you are sure getting a lot of practice.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 19, 2014 17:02:21 GMT -8
You have not downloaded the fixlist.txt correctly and downloaded in htm(l) formatting instead of .txt formatting, as a result FRST did nothing as it did not understand anything.
Quads
|
|
yelc
New Helpee
Posts: 19
|
Post by yelc on Nov 20, 2014 5:14:52 GMT -8
Thanks again Quads.
I don't know why explorer wouldn't save the file as txt, I had to go to the link and save it from there. Hopefully this fixlog is correct.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 21, 2014 21:05:52 GMT -8
Now with Poweliks taken (and some PUP items) your system should be acting better, With dllhost not being so over active??
Quads
|
|
yelc
New Helpee
Posts: 19
|
Post by yelc on Nov 22, 2014 6:50:18 GMT -8
That's correct Quads, much better. I brought the system back on line and monitor dllhost.dll with process explorer. Don' t see it generating multiple copies. On it's last scan Norton found a copy of poweliks and said it removed it but I'm not so sure its gone altogether.
|
|
yelc
New Helpee
Posts: 19
|
Post by yelc on Nov 22, 2014 7:36:34 GMT -8
Quads, FYI here are the actions Norton took on the last scan:
File Actions
Infected file: c:\windows\syswow64\ 00004127.tmp Removed Infected file: c:\windows\syswow64\ 00020536.tmp Removed ____________________________
Registry Actions
Registry change: HKEY_USERS\S-1-5-21-3443200979-1313501396-1236113166-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-21-3443200979-1313501396-1236113166-1005\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-19\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-20\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed Registry change: HKEY_USERS\.DEFAULT\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-21-3443200979-1313501396-1236113166-1001\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed Registry change: HKEY_USERS\S-1-5-21-3443200979-1313501396-1236113166-1005\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed Registry change: HKEY_USERS\S-1-5-19\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed Registry change: HKEY_USERS\S-1-5-20\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed Registry change: HKEY_USERS\.DEFAULT\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed Registry change: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32->a Removed Registry change: HKEY_USERS\S-1-5-21-3443200979-1313501396-1236113166-1001\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-21-3443200979-1313501396-1236113166-1005\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-19\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed Registry change: HKEY_USERS\S-1-5-20\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed Registry change: HKEY_USERS\.DEFAULT\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed Registry change: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ localserver32 Removed ____________________________
File Thumbprint - SHA: 4e2e10b5ac15599c5ec1a912e9a3581a1463eb61a3a0ceaa63be76c7d65e36e2 File Thumbprint - MD5: Not available
|
|