kj1
New Helpee
Posts: 30
|
Post by kj1 on Nov 9, 2014 19:15:31 GMT -8
|
|
Krusty
Logging Assistant
In Oz
Posts: 2,330
|
Post by Krusty on Nov 9, 2014 19:28:02 GMT -8
Good job!
Please wait patiently for a Malware Removalist to get to you. As you can see they are very busy at the moment so you could be in for a lengthy wait. There are over 300 machines being worked on at this time.
Thanks.
|
|
kj1
New Helpee
Posts: 30
|
Post by kj1 on Nov 10, 2014 16:26:33 GMT -8
Hi, I'm back online.
|
|
Krusty
Logging Assistant
In Oz
Posts: 2,330
|
Post by Krusty on Nov 10, 2014 18:43:00 GMT -8
Bumping your thread only pushes it further down the list.
Please be patient.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 16, 2014 18:06:21 GMT -8
I have tested by infecting my system with Poweliks
The Symantec Removal tool for Poweliks, which only targets Poweliks does work successfully at dealing with the Registry key
It only targets Poweliks in the registry, so if your system has Tracur, Cidox, Zeroaccess or a Ransomcrypt (like Cryptowall), it will not target any of those
Windows 64 Bit tool Download here.Windows 32 bit tool Download here I will allow users that turn up aor are already here to use it to break Poweliks, so their system settles down, the FRST logs just looks different with the possible <=== ATTENTION for the parent keyQuads
|
|
kj1
New Helpee
Posts: 30
|
Post by kj1 on Nov 18, 2014 21:09:09 GMT -8
I downloaded and ran FixPoweliks64.exe. It ran for about 10 seconds and appeared to be finding and removing some stuff, but then a popup window displayed the following error:
An error has occurred in the script on this page line: 1 char: 1 error: Unable to open registry key HKCU/software/classes/clsid/{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}\localserver32\a" for reading code: 0 URL: Do you want to continue running scripts on this page?
I answered No.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 24, 2014 22:09:37 GMT -8
Lets see if this works
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST that is on the desktop When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
Quads
|
|
kj1
New Helpee
Posts: 30
|
Post by kj1 on Nov 25, 2014 23:17:14 GMT -8
I'm going to be away from my pc for a few days during the Thanksgiving holiday. I'll execute your instructions as soon as I get back on Tuesday 12/2. Please don't close the thread.
Thanks, Kevin
|
|
kj1
New Helpee
Posts: 30
|
Post by kj1 on Dec 15, 2014 20:03:08 GMT -8
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-12-2014 01 Ran by Keyley at 2014-12-15 21:51:28 Run:1 Running from C:\Users\Keyley\Desktop Loaded Profile: Keyley (Available profiles: Keyley) Boot Mode: Normal ==============================================
Content of fixlist: ***************** start HKLM-x32\...\Run: [] => [X] C:\Users\Keyley\AppData\Local\Temp\OfficeSetup.exe HKU\S-1-5-21-1885584115-1695401219-2722217645-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks CustomCLSID: HKU\S-1-5-21-1885584115-1695401219-2722217645-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? Reboot: end
*****************
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully. C:\Users\Keyley\AppData\Local\Temp\OfficeSetup.exe => Moved successfully. "HKU\S-1-5-21-1885584115-1695401219-2722217645-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully. "HKU\S-1-5-21-1885584115-1695401219-2722217645-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully. "HKU\S-1-5-21-1885584115-1695401219-2722217645-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.
The system needed a reboot.
==== End of Fixlog ====
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Dec 20, 2014 18:08:44 GMT -8
System should be acting a lot better now??
Quads
|
|