Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Got hit with Ransomware Encryption Trojan

14 Dec 2014   #21

Windows 7 64-bit SP1

Trying rebooting out of safemode and clicker3.exe and conhost.exe came back, booo.

My System SpecsSystem Spec
14 Dec 2014   #22

Windows 7 Home Premium


This malware is a tough one. Your best bet may end up being a clean install, and that is something I recommend only in cases where hope does not appear to be a strategy.

You may want to think about it...

Are you running Malwarebytes Anti-Malware Free, or the Pro version?

In any event, please run the following programs, in the order presented: MBAM > RogueKiller > FRST and provide the four reports produced.

Open MBAM, click the Settings tab at the top, and, in the left column, select:
Detections and Protections
If not already checked, select: Scan for rootkits

Click the Scan tab at the top of the program window, and select: Threat Scan

Next, click: Scan Now

If you receive a message that updates are available, click: Update Now
At this point, the update is downloaded, installed, and the scan starts.
The scan may take some time to finish, so please be patient.

If potential threats are detected, select Quarantine All as the Action for all the listed items.

Next, click: Apply Actions

While still on the Scan tab, click the link for View detailed log
In the window that opens, click the Export button, select Text file (*.txt), and save the log to the Desktop.

Please post the MBAM report in your reply.

1. The log is automatically saved by MBAM and is also viewed by clicking:
History tab > Application Logs.
2. If MBAM encounters a file that is difficult to remove...
Click OK and allow MBAM to proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Next, please download RogueKiller:
RogueKiller Download
Save to the Desktop

After closing all windows and browsers, right-click the downloaded RogueKiller file and select:
Run as Administrator

If your Antivirus program alerts you about the program, please allow it to run, or temporarily disable your AV.

Next, read and Accept the license terms.

At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished)
Press: SCAN

When done, a report opens on the drive: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.

Last, please use the Farbar Recovery Scan Tool once agian.
At the program console, click on: Addition.txt

:ar When done, please post both reports (FRST.txt and Addition.txt), and let's see what they show.
My System SpecsSystem Spec
16 Dec 2014   #23

Windows 7 64-bit SP1

My System SpecsSystem Spec

16 Dec 2014   #24

Windows 7 Home Premium


If downloads are not allowed on Internet Explorer, re-enable them by going to: Tools > Internet Options > Security
In the Security tab, click on: Reset all areas to the default level
You should be able to download from IE.

Please do the following, and DO read the instructions carefully!
Trojan.Poweliks Removal Tool | Symantec

Download the Trojan.Poweliks Removal Tool to the Desktop.
FixPoweliks64.exe for 64-bit computers:

Close all the running programs/windows.
Double-click the FixPoweliks64.exe to start the tool.
Click to accept the EULA

Click Start for the tool to run.

When done, a message prompting you to check the results (FixPoweliks64.log) appears, click: OK
Restart the computer.
Please post the FixPoweliks64.log in your reply.

Right after you finish with the Poweliks Removal Tool, please run RogueKiller and perform a Scan as before.
Please run it from the Desktop.
Post its new RKreport.txt in your reply.

Next, please run FRST64. However, do not run it from H:\, also run it from the Desktop.
Also post the new FRST64.txt in your reply.

My System SpecsSystem Spec
16 Dec 2014   #25

Windows 7 Home Premium


Let's use the following to make sure malware is not lurking in the Master Boot Record...

Download: TDSSKiller
TDSSKiller Download

Select the .exe version
  • Doubleclick on TDSSKiller.exe to run the program.
  • At the Kaspersky TDSSKiller interface, click: Change parameters
  • Check: Detect TDLFS file system
  • Click: OK
  • Now, click Start Scan and allow the scan to run
  • If any threats are found, select: Skip (Do not select: Delete!!)
  • Click: Continue
  • Click: Reboot computer
When done, please provide the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\)
My System SpecsSystem Spec
18 Dec 2014   #26

Windows 7 64-bit SP1

Well I'll be out of town for the town for the next week, so we will have to continue this then. Thanks for the help though.
My System SpecsSystem Spec
18 Dec 2014   #27

Windows 7 Home Premium


If that is the case, please do not use the instructions in Post #24 and 25.

In addition, you have requested and are accepting help here:
KeyHolder ransomware log - Virus, Trojan, Spyware, and Malware Removal Logs

There is no way I will offer any more help under these circumstances. It is like trying to drive two cars at the same time...a counterproductive endeavor.
My System SpecsSystem Spec
18 Dec 2014   #28
Layback Bear

Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64

Good find and decision cottonball.
My System SpecsSystem Spec

 Got hit with Ransomware Encryption Trojan

Thread Tools

Similar help and support threads
Thread Forum
Extra help to block ransomware (no disk encryption unless keyboard OK)
The Sunday NY Times Week in Review (Jan 4, 2015) had an article about someone’s mother having to pay Bitcoin ransom in a ransom malware encryption attack. At home, what should I do to prevent a ransom encryption attack, in addition to Avast AV (on my home Win 7 Pro 64-bit and my home XP...
System Security
Trojan Ransomware Police Central e-crime Unit
hi we have had this issue with our computer where it was locked up by this virus at the time we did not know it was a virus and we paid the money , since then we have learned it was a scam and contacted the bank to cancel the card etc we have informed the bank and they have stopped the card but...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 08:05.
Twitter Facebook Google+