Tomdee

OK I replaced the profile and the Trojan is finally gone! Thanks for everyone's help! Tom

It's not available. If I try to right click on it, it denies me access. I gave the whole registry tree full rights but that key still pops up with the error.

Ok, something different happened this time. I don't know if I just didn't notice it before or I did something different this time? When I ran MWB scanner and I was watching the registry, as soon as it found the poweliks trojan, a bunch of reg keys popped up. See attachments. If I try to change the permissions on the CLSID, it denies me access even in safe mode, logged in as the PC administrator? What do you think? Thanks

Ok, I booted from the Hirens Disk and searched the registry for all the keys noted in your post and nothing was found. I also just tried searching for HKU\S-1-5-3514624900 and even just S-1-5-351. Nothing found at all??? Is it possible the MBAR app is not working correctly? I continuously finds the powelliks trojan, but the key is not found when doing a search of the registry? I am ready to give up and wipe this drive just to be sure, but if you have any other ideas, let me know... Thanks for your help and I hope everyone has a great New Year! Tom

Yes I am using the domain admin account to make the changes as the users are locked down. That's why I don't understand how this infected the registry but the local user does have full control of their domain logon registry... I'll give the fix above a shot next time I'm onsite which should be Tuesday. Shout I use a boot disk or what do you recommend? I'm at the point where I'm almost ready to blow this out and do a fresh OS install. Thanks again!!

Shadowwar... That file is a contractor agreement they had in a zip file from 2016 so it's a known quantity and has been around for a few years. My issue is I can't get that reg key to let me delete it. Do you think a boot disk might work? Thanks and Merry Christmas to all! Fixlog.txt

Here's the results of the 2 scans... Poweliks is still present!!!

Here you go ShadoWWar... FRST.txt Addition.txt

Ok I tried to add the permissions and delete the registry key with no luck... See screen shots! I'm running MB and MBRK scans again now and will post the results when they finish

One thing that has been happening since this trojan showed up is the users sticky notes and calculator keep opening on their own. Is this a symptom of this auto start issue?

I'll be onsite later today and will try the Trendmicro repair and let you know! Thanks for joining the (war) party!

I decided to run another scan with MWB and came up with this file 12222017. I also found a previous scan from 12152017 for comparison. I don't understand why this isn't being found in the registry, I wonder if they came up with a way to cloak it?? Are they Klingons maybe?? :-)

Here you go.... The search still didn't find the key! :-( Thanks!

Yes I understood what you were saying. I did a full search and also a manual one and that key does not exist under that user's profile. I wonder if I should check the other users? I'll do it tonight after the client closes and post my findings. I am a Network admin so I am familiar with the terminology. Normally I very rarely need this kind of assistance as I would have just blown the machine out and reloaded, it but this client has a lot going on, so if I can clean it, I would prefer that to a full wipe! What a mystery we have here! Thanks again and Merry Christmas to all! Tom

HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes Key Not found... Now what??

Here it is... I hope we can figure this out as I am not looking forward to wiping this drive and reloading windows! Thanks for all the help! Tom NTUSER.ZIP

Ok I did not get a rootkit warning while running this... I ran the MBAR scanner and it came up positive again HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\LOCALSERVER32\^ (Trojan.Poweliks) :-( Thanks for your help GMER Log.txt

It says Error: Key: S-1-5-21... etc. does not exist!

Fix result of Farbar Recovery Scan Tool (x64) Version: 07-12-2017 Ran by ccsadmin (07-12-2017 21:18:15) Run:5 Running from C:\Users\ccsadmin\Desktop Loaded Profiles: ccsadmin (Available Profiles: ccsadmin & Rich S & Administrator & Local_Admin & Administrator) Boot Mode: Normal ============================================== fixlist content: ***************** DeleteKey: HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} REG: REG ADD "HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" ***************** HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} => key not found. ========= REG ADD "HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" ========= ERROR: The parameter is incorrect. ========= End of Reg: ========= ==== End of Fixlog 21:18:16 ====

Ok I'll try it again... I'll do it right now and let you know...

If it means anything, since this has been on this system, we constantly have the calculator and sticky pad apps opening on their own...

Still present... :-( HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\LOCALSERVER32\^ (Trojan.Poweliks)

Rebooted and running the scan now...

Fix result of Farbar Recovery Scan Tool (x64) Version: 07-12-2017 Ran by ccsadmin (07-12-2017 20:09:10) Run:4 Running from C:\Users\ccsadmin\Desktop Loaded Profiles: ccsadmin (Available Profiles: ccsadmin & Rich S & Administrator & Local_Admin & Administrator) Boot Mode: Normal ============================================== fixlist content: ***************** DeleteKey: HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} REG: REG ADD "HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" ***************** HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} => key not found. ========= REG ADD "HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" ========= ERROR: The parameter is incorrect. ========= End of Reg: ========= ==== End of Fixlog 20:09:11 ====

Ok, I ran the MBAR and it came up clean, so I rebooted to see if it came back and it did. I didn't delete it but instead ran the FRST64 app and the results are below. I have also included a screen shot of the MBAR window. This is nuts! I cannot remember anything so stubborn since the Stoned Michaelangelo virus in the 90's! Thanks again. ++++++++++++++++++++++++++++++++++++++++++++++++++ Here's the full string from MBAR window. HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\LOCALSERVER32\^ (Trojan.Poweliks) ++++++++++++++++++++++++++++++++++++++++++++++++++ Fix result of Farbar Recovery Scan Tool (x64) Version: 06-12-2017 Ran by ccsadmin (06-12-2017 21:20:25) Run:3 Running from C:\Users\ccsadmin\Desktop Loaded Profiles: ccsadmin (Available Profiles: ccsadmin & Rich S & Administrator & Local_Admin & Administrator) Boot Mode: Normal ============================================== fixlist content: ***************** REG: REG QUERY "HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\LOCALSERVER32" /s ***************** ========= REG QUERY "HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\LOCALSERVER32" /s ========= ERROR: The system was unable to find the specified registry key or value. ========= End of Reg: ========= ==== End of Fixlog 21:20:25 ====