Krusty
Logging Assistant
In Oz
Posts: 2,330
|
Post by Krusty on Nov 16, 2014 22:02:02 GMT -8
The FRST.txt is fine but we still need the Addition.txt or a link.
Thanks.
Edit : Can you try a different browser?
|
|
|
Post by pixbtted on Nov 16, 2014 22:15:03 GMT -8
|
|
|
Post by pixbtted on Nov 16, 2014 22:16:05 GMT -8
Are you able to use the pastebin link?
|
|
Krusty
Logging Assistant
In Oz
Posts: 2,330
|
Post by Krusty on Nov 16, 2014 22:22:39 GMT -8
Yep, you got there.
Good job!
Please wait patiently for a Malware Removalist to get to you. As you can see they are very busy at the moment so you could be in for a lengthy wait. There are over 300 machines being worked on at this time.
Thanks.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 21, 2014 14:20:25 GMT -8
Hmmmm only half the Poweliks key lets see what this says I have tested by infecting my system with Poweliks
The Symantec Removal tool for Poweliks, which only targets Poweliks does work successfully at dealing with the Registry key
It only targets Poweliks in the registry, so if your system has Tracur, Cidox, Zeroaccess or a Ransomcrypt (like Cryptowall), it will not target any of those
Windows 64 Bit tool Download here.Windows 32 bit tool Download here I will allow users that turn up aor are already here to use it to break Poweliks, so their system settles down, the FRST logs just looks different with the possible <=== ATTENTION for the parent keyQuads
|
|
|
Post by pixbtted on Nov 21, 2014 14:42:08 GMT -8
Trojan.Poweliks has not been found on the system
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 21, 2014 15:05:05 GMT -8
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST that is on the desktop When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
Quads
|
|
|
Post by pixbtted on Nov 21, 2014 15:07:45 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 21, 2014 21:01:45 GMT -8
Disable Norton's SONAR component
Quads
|
|
|
Post by pixbtted on Nov 21, 2014 21:10:18 GMT -8
Thank you. I have disabled Sonar.
Here is the contents of Fixlog.txt
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-11-2014 Ran by Ted at 2014-11-22 00:00:17 Run:1 Running from C:\Users\Ted\Desktop Loaded Profiles: Ted & Administrator (Available profiles: Ted & Administrator) Boot Mode: Normal ==============================================
Content of fixlist: ***************** start HKU\S-1-5-21-1631351894-3293103897-3860865750-1000\...\MountPoints2: {92f71ae3-91e6-11e3-b349-f46d048fa269} - L:\LaunchU3.exe -a C:\Windows\Tasks\{3A1B2112-3617-4D99-BF54-7AB8F9D18F97}.job C:\Windows\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7}.job Task: {160B4EBD-5A1F-4274-BC9C-BF694C473EA3} - System32\Tasks\{3A1B2112-3617-4D99-BF54-7AB8F9D18F97} => C:\Users\Ted\AppData\Local\Temp\is-9E897.tmp\XRD Manager.exe <==== ATTENTION Task: {3916EC5C-45E2-476D-90C1-A3424BDF6FF1} - System32\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7} => C:\Users\Ted\AppData\Local\Temp\is-6ETTJ.tmp\XRD Manager.exe <==== ATTENTION C:\Users\Ted\AppData\Local\Temp\is-9E897.tmp C:\Users\Ted\AppData\Local\Temp\is-6ETTJ.tmp HKU\S-1-5-21-1631351894-3293103897-3860865750-1000\...A8F59079A8D5}\localserver32: <==== ATTENTION! Reboot: end
*****************
"HKU\S-1-5-21-1631351894-3293103897-3860865750-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{92f71ae3-91e6-11e3-b349-f46d048fa269}" => Key deleted successfully. "HKCR\CLSID\{92f71ae3-91e6-11e3-b349-f46d048fa269}" => Key not found. C:\Windows\Tasks\{3A1B2112-3617-4D99-BF54-7AB8F9D18F97}.job => Moved successfully. C:\Windows\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7}.job => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{160B4EBD-5A1F-4274-BC9C-BF694C473EA3}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{160B4EBD-5A1F-4274-BC9C-BF694C473EA3}" => Key deleted successfully. C:\Windows\System32\Tasks\{3A1B2112-3617-4D99-BF54-7AB8F9D18F97} => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{3A1B2112-3617-4D99-BF54-7AB8F9D18F97}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3916EC5C-45E2-476D-90C1-A3424BDF6FF1}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3916EC5C-45E2-476D-90C1-A3424BDF6FF1}" => Key deleted successfully. C:\Windows\System32\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7} => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{425E7005-9EC8-4CFC-818A-D3511CE343B7}" => Key deleted successfully. "C:\Users\Ted\AppData\Local\Temp\is-9E897.tmp" => File/Directory not found. "C:\Users\Ted\AppData\Local\Temp\is-6ETTJ.tmp" => File/Directory not found. "HKU\S-1-5-21-1631351894-3293103897-3860865750-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully. "HKU\S-1-5-21-1631351894-3293103897-3860865750-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
The system needed a reboot.
==== End of Fixlog ====
|
|