Power Eraser Corrupted a Windows Boot Script

Archive
1

I have Norton Security and Backup running on Windows 10 Professional.  Norton suggested running Norton Power Eraser due to, I assume, suspected malware.  I ran it.  Upon reboot I got 3 script error messages.  I then "undid" the Norton Power Eraser activities.  Upon reboot, 2 of the 3 script error messages went away.  But 1 remains.  Every time I boot my PC I get this error message.  I called Norton Tech Support.  First they tried to push me to Microsoft.  I explained this was caused by Norton Power Eraser and someone experienced with Power Eraser could read the log and know exactly what it did and how to fix it.  They insisted there is NO Power Eraser expert and I had to deal with the front-line person who was not knowledgeable.  He didn't seem to even understand what Power Eraser did.  After explaining the problem repeatedly he suggested removing and re-installing JAVA because one of the error screens (second attachment) has the word "javascript" in it.  I told him that won't do anything but he was confident so I did what he asked.  I removed JAVA by uninstalling it from the control panel.  That did not fix it.  The script error message continues.  I rebooted, cleaned my drive, and even did a Power Eraser scan again (which said there were no threats found) and I continue to get the script error message.

The Norton Case Number for this is [Removed]

Attached is a PDF file containing 3 screen shots, one screen shot per PDF page.

First page is a screen-shot of the first window I see when I boot the PC - the script error message.  It's the same very time.  No matter what I click (yes, no, or the windows "X") in that window, I get another window.  That is shown in page 2 of attached PDF.  It's blank except the header which has a bunch of text.  I click the windows "X" and then I can use my PC.  Getting these every time I boot is annoying.

One last hint.  I found the Norton Power Eraser LOG FILE from the scan and remediation that caused the problem.  I searched for all the terms I saw in the second error message window and the only thing that came up was references to "wvii" which is one of the terms in screen shot in page 2 of the attached PDF.  I have no idea if that's relevant to my problem.  As you know, the log file is huge.  There are 11 instances of "wvii" in the log but the one that may be of most relevance, if at all, is in the 3rd page of the attached PDF.

I suspect I need to edit the Windows registry but I don't know.  A Norton expert in Power Eraser ought to be able to tell me exactly what to do upon looking at the log file but Norton is unwilling to escalate my call.

Thank you in advance for any help you may be able to provide.

Greg.

 

2

After several days this problem was resolved.  Norton tech support was useless, as explained above.  They didn't understand Norton Power Eraser (NPE) at all and as such offered suggestions that were not relevant to the problem.  But TMcCormick, a Symantec employee who was on the NPE dev team, responded to my post here and was FANTASTIC.  He worked with me via e-messaging to troubleshoot and improve my system.  He sent 10 posts, analyzed my log files, and made thoughtful recommendations.  He even wrote a macro to help edit the registry.  I applaud TMcCormick for showing that there are Norton personnel who are competent and helpful!!!  The registry edits successfully removed the script error reported above.  However, another error popped up.  TMcCormick suspected the threat hadn't been fully removed.  As it turns out he was write.  Although NPE said it resolved the threat and although subsequent NPE scans showed NO THREATS, there was still one that NPE didn't fine.  I ran the free version of Malewarebytes and it found, in a scan that lasted only a few minutes, Rootkit.Fileless.MTGen.  It removed that threat and my PC was fine.  The error message was gone as well.

Greg.

3

Hi Greg.

After not hearing from anyone I contacted for some help, I am not going to wait any longer. It could be powerliks in some new form. We should make sure that it isn't. Please follow this link.

https://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-0511-99

first run the x64 version http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixPoweliks64.exe

and if it doesn't find anything, try the 32 bit version.

http://www.symantec.com/content/en/us/enterprise/media/security_response/tools/FixPoweliks32.exe

I don't expect it will find anything but let me know if it does.

I am able to use the registry information you provided to reproduce the script error in windows 10. I am pretty confident that it can be removed.

I am going to write a powershell script that cleans up the load points we have discovered so far. 
I will send you a private message with directions sometime later today.

Thanks

 

4

Hi.

Thank you for sending me these. they are very informative. I will have to contact you privately once I figure out a couple things.

Timothy McCormick
Symantec

5

Tim McCormick,

Thanks again for the GREAT information and support!  The Norton Support center suffered a great loss when you left!

I spent hours searching the Windows Registry.  It kept failing.  What I was able to do was to export all the "wvii" search matches.  Those are all attached.  I exported the branches above the "wvii" entry.  Note that when I exported them it was *.reg format.  I inadvertently double-clicked it and merged it into my registry.  Since this forum doesn't support that format I simply changed the extensions from *.reg to *.txt.  Those are attached.  I explained in the filename what branch it was in.  Note that the first 3 attached exports of the registry (the ones with 99f176 in the filename) all contain the exact line from the script error (window #2 in the window heading bar).  So, I suspect that's what we're looking for!  Tell me if you need another export of something more specific?

For "\x00gfbyhnn" the searches kept timing out.  I did search by folder but even that didn't work.  What I can do is export an entire folder for you (like HKEY CLASSES) but that's 68MB so not sure you want me to do that?  Also, I don't know if by uploading the entire registry publicly I expose passwords or other vulnerabilities?  I'll do whatever you suggest.  Just be specific.  Maybe there is a particular branch of a particular folder I should upload, like the system folder in HKEY CLASSES or something?  Let me know.

If you can tell me how to disable the failing load point that would be exactly what I'm looking for.  I can do it in the registry editor if you're specific.  But if there is another way, great, since editing the registry is dangerous, as you know.  But I'm happy to.  Have done it before.

Regarding your other questions:
Do you remember what threat the product found before you ran Power Eraser?  NO

Or what the Product's message to run Power Eraser indicated. Was it due to an abstract behavior like "high network traffic" or "unusual activity detected in a running process" or was it a detection like "bloodhound"?  IT WAS ABSTRACT AND DID NOT CONTAIN THE WORD "BLOODHOUND" BEST I CAN RECALL.  IT WAS NORTON SECURITY & BACKUP THAT GAVE ME A POP-UP ALERT SAYING SOMETHING LIKE BLOCKED INTRUSION ATTEMPT OR MAYBE UNUSUAL ACTIVITY.  IT THEN RECOMMENDED RUNNING NORTON POWER ERASER.  I CLICKED THE LINK AND DID THAT.

Thanks again,

Greg.

6

Hello Greg

I think there should be some information as to names of malware in the History logs in resolved threats and unresolved threats. That might give you some clues as to what malware Norton had found originally.

Thanks.

7

Hi.

Thanks for sending the logs. I don't see much out of the ordinary. At work tomorrow I will run a diff on them to see if I missed anything. I didn't notice it before that some of the registry keys are duplicated. This occurs when the keys are redirected but can also happen if the 32 bit registry has the same settings as the 64 bit. This may be both. That is why it runs the script more than once. that may explain the multiple instances of the script running.

You have windows 10 x64 and Norton 22.6. No files were detected that scored badly and no files were removed by Power Eraser. Only registry run keys with the load point and a reference to software\wvii key were removed. It is very rare to find a threat without any files on the system.

This might be a legitimate windows store app, or something written in JavaScript that is new to windows 10. Normally we look for a known threat called "Powelikes" in the run key that does something similar to what we see this load point doing. The script you are running does not match this threat but Power Eraser finds threats based on evidence and not signatures like the product does.

What the logs show is the registry key and the name of the value. But it omits the string data the value is holding. Now, I need to see the data for all the instances it restored. You would have to search the registry for both strings "wvii" and "\x00gfbyhnn". Remove the quotes. There will be 3 hits or more for each search. Since one is a key and one is a value it will be easiest if you exported the keys to a file. But if you have no experience doing this I really should not request it.

You have windows 10 and there are other ways to get this information. I just need to find the best way. I will have to do some investigation.

The failing load point can be disabled on windows 10 without the registry editor. I still need to see the registry data first.

Do you remember what threat the product found before you ran Power Eraser? Or what the Product's message to run Power Eraser indicated. Was it due to an abstract behavior like "high network traffic" or "unusual activity detected in a running process" or was it a detection like "bloodhound"?

If you feel like you can get the data from the registry please post it here.  I will speak to some other people working on Power Eraser currently to see if they have encountered this. And see if I can find anything in windows 10 that may be doing this. And find some easy way to get the data without regedit.

I worked in Tech Support when I was hired here. I could not follow the rules and was always in trouble with my bosses. It is a hard job.

Thanks for working with me

Tim McCormick
Symantec

8

Hi Tim.  Thanks very much for your thoughtful answer.  Below are some comments from me embedded in yours.  My comments will be ALL CAPS.  Also, attached is the full Power Eraser log. Thanks for reviewing that for me since I can't make any sense of it at all.  Very generous of you to offer that!

--------------------------------

TIM'S EMAIL WITH MY COMMENTS IN CALL CAPS:

If you want to provide the entire power eraser log that would give me a better idea of how embedded this threat is and hopefully reveal its intentions.  I NO LONGER NEED TO KNOW WHAT THE THREAT IS BECAUSE POWER ERASER SUCCESSFULLY REMOVED THE THREAT.  THE PROBLEM IS THAT IT APPEARS TO ME THAT BY REMOVING THE THREAT THE REMANTS IS THIS SCRIPT ERROR I'M TRYING TO GET RID OF.  I SUSPECT POWER ERASER REMOVED MALICIOUS PROGRAMS THAT ARE REFERENCED IN THE WINDOWS REGISTRY WITHOUT CHANGING THE WINDOWS REGISTRY PROPERLY.  AS A RESULT, THE REGISTRY IS TRYING TO CALL UP PROGRAMS THAT AREN'T THERE.  OR, POWER ERASER DIDN'T CHANGE THE REGISTRY PROPERLY.  SO, IF YOU CAN FIND THE PLACES WHERE POWER ERASER CHANGED MY SYSTEM IN THE LOG, THAT WILL TELL US WHERE THE PROBLEM IS.  BUT NOTE THAT AFTER POWER ERASER MADE CHANGES I SAW 3 SCRIPT ERRORS.  THEN I "UNDID" THE POWER ERASER CHANGES.  THAT ELMINATED 2 OF THE 3 SCRIPT ERRORS.  SO, YOU WILL LIKELY SEE 3 CHANGES IN THE LOG. ONLY ONE OF THEM REMAINS AS THE PROBLEM.  IF YOU LOOK AT THE ACTUAL SCRIPT ERROR THAT I ATTACHED ABOVE YOU SHOULD BE ABLE TO MATCH THAT TO ONE OF THE 3 CHANGES POWER ERASER MADE.  THAT'S WHERE THE SPECIFIC PROBLEM IS.  ALTERNATIVELY, I'VE INCLUDED IN THE ATTACHED ZIP FILE ALL 3 LOG FILES FROM THAT DAY.  THOSE 3 LOG FILES CORRESPOND TO THE INITIAL SCAN/REMDIATION, THE "UNDO," AND THE SUBSEQUENT SCAN I DID THAT FOUND EVERYTHIGN WAS CLEAR OF ANY THREATS.  SO, YOU CAN COMPARE THE FIRST 2 LOG FILES TO FIND OUT WHAT IT WAS ABLE TO DO AND NOT ABLE TO DO TO FIND THE REMAINING SCRIPT ERRORS.  THESE ARE ALL ASSUMPTIONS ON MY PART, OF COURSE.  I DON'T KNOW HOW NPE LOG FILES ARE CREATED OR WHEN.  ONCE THE PROBLEM IS FOUND, THE SOLUTION ISN'T TO ELIMINATE THE THREAT BUT, INSTEAD, TO EDIT THE REGISTRY (IF THAT'S THE PROBLEM) TO NO LONGER MAKE REFERENCE TO THE PROGRAM THAT WAS REMOVED OR TO FIX THE REGISTRY IN SOME WAY (FIX WHATEVER PROBLEM POWER ERASER CREATED).  BY THE WAY, I OFFERED TO SEND NORTON TECH SUPPORT THE LOG FILE AND SCREEN SHOTS OF THE SCRIPT ERRORS BUT THEY SAID THERE IS NO WAY TO DO THAT....

You don't see any other problem with your system now and you didn't have any apparent problem at the time you ran Power Eraser. The problem started after you remediated the loadpoint. Running UNDO did not fix the problem. - NOT QUITE.  NORTON ANTIVIRUS DETECTED A THREAT AND THEN RECOMMENDED RUNNING POWER ERASER.  I DID.  THEN POWER ERASER FOUND A FEW THREATS, REMOVED THEM, MODIFIED MY SYSTEM, AND THEN I GOT 3 SCRIPT ERRORS.  I THEN DID A POWER ERASER "UNDO" AND 2 OF THE SCRIPT ERRORS WENT AWAY BUT I STILL GET ONE OF THEM.  IT HAPPENS RIGHT AFTER WINDOWS STARTS AND THE SCREENS FROM THAT SCRIPT ERROR ARE ATTACHED EARLIER IN THIS THREAD.

It could be a rootkit and it created a new load point after power eraser removed the old one.  Did you let power eraser run the rootkit scan or just the file scan? the rootkit scan is the default, but because it reboots many people are not willing to run it. - I LET POWER ERASER REBOOT PRIOR TO THE SCAN.  I JUST TOLD POWER ERASER TO SCAN AND DID NOT DO ANYTHING DIFFERENT THAN WHAT IT TOLD ME TO DO.  I ASSUME, THEREFORE, THAT POWER ERASER RAN THE ROOTKIT SCAN.

If you would rather not mess with Power Eraser anymore there are other free products available from other security vendors that will let you have a second opinion. AS MENTIONED, THERE IS NO LONGER A THREAT ON THE PC, I ASSUME.  WHEN I DID A POWER ERASER SCAN LATER IT SAID THERE WERE NO THREATS.  EVERYTHING IS WORKING FINE SO I BELIEVE THAT.  EXCEPT THE WINDOWS SCRIPT ERROR REPORTED. 

If this link is visible it will take you to a different forum thread with a list of alternatives. https://community.norton.com/en/comment/6174931#comment-6174931

Please post the power eraser xml log and I will look at it.  IT IS ATTACHED.  NOTE THAT I'VE INCLUDED 3 LOG FILES (EACH .XML) IN THE ATTACHED ZIP FILE.  THE FILE NAME NUMBERS ARE IN SEQUENCE CORRESPONDING TO THE ORDER THEY WERE DONE OVER TIME.  THE FIRST ONE WAS CREATED AFTER THE REMEDIATION.  THEN I DID THE UNDO AND IT CREATED THE SECOND ONE, I ASSUME.  THEN I DID A SCAN AGAIN AND IT CREATED THE THIRD ONE.  OR SOMETHING LIKE THAT.  JUST NOTE THAT I DID A SCAN/REMEDIATION, DID AN UNDO, THEN SCANNED AGAIN.  I DON'T KNOW EXACTLY HOW POWER ERASER CREATES LOG FILES BUT I SENT ALL 3 FOR THAT DAY IN THE ATTACHED ZIP.

THANKS AGAIN!  GREG.

9

Hi

If you want to provide the entire power eraser log that would give me a better idea of how embedded this threat is and hopefully reveal its intentions. 

It looks suspicious but I don't have enough information to say for sure. 

You don't see any other problem with your system now and you didn't have any apparent problem at the time you ran Power Eraser. The problem started after you remediated the loadpoint. Running UNDO did not fix the problem.

It could be a rootkit and it created a new load point after power eraser removed the old one. 

Did you let power eraser run the rootkit scan or just the file scan? the rootkit scan is the default, but because it reboots many people are not willing to run it. If you did not run the power eraser root kit scan you should. If you would rather not mess with Power Eraser anymore there are other free products available from other security vendors that will let you have a second opinion. If this link is visible it will take you to a different forum thread with a list of alternatives. https://community.norton.com/en/comment/6174931#comment-6174931

Please post the power eraser xml log and I will look at it.

Thanks,

Tim McCormick
Symantec

10

Thank you Tim! In response to your questions:
What am I trying to resolve? I don’t want the script error windows to pop up every time I boot.
Is there a malware problem? Not that I know of. As I said, Norton antivirus detected a problem (malware I assume) and told me to run Power Eraser to fix it. I did and then when I got the script errors I did an “undo” but the script error you see remained. I ran Power Eraser again (including today) and no threats were found. So let’s assume there is no malware.
Am I trying to run a program affected by malware? No. Everything on my PC runs fine except those pesky script error windows that pop up when I boot.

So, how do I get rid of the script errors? I assume I need to edit the registry but I don’t know what to do. You say: “This javascript on page 2 is launched from a load point in the registry run key called “\x00gfbyhnn”.”. Should I search for that in the registry and delete it or something? I can search for that string in the Power Eraser log file and then post the section of the log file that has he details related to that?

11

Hi.

Tech support is correct about the support policy. I worked on the tool when it was in development and I can help you understand why the tool did what it did.

I looked at your PDF. This javascript on page 2 is launched from a load point in the registry run key called "\x00gfbyhnn". The script error occurs as this command is run. javascript does not require the JAVA program language be installed to execute. Normally javascript is executed inside a web browser. It can execute from the run key if the script is written correctly. From the part of the script you are showing, this script is creating a Windows Scripting Host object that will let it interact with your computer in a way that is considered unsafe. That is why Power Eraser calls it a threat. I can't identify a legitimate program that operates like this. 

The error you are getting on page 1 is saying that this single string of script has a bad character at the 148th position. I didn't count the number of characters visible, but it doesn't show any invalid characters in the screenshot. Your screenshot does not contain the entire script.

What are you trying to resolve? Is there a problem with some malware that caused you to run Power Eraser? Are you trying to make whatever this program is work again? Do you know what this program is?  wvii is probably a random string, but if it was legitimate you will have installed it and it will be present in the add remove programs control panel applet. It will have an uninstaller. Many programs will add third party things in the run key for various reasons. One of the most common is to nag you to register it. In most cases programs will not try to circumvent windows security by running javascript from the run key.

I hope this helps.

Tim McCormick
Symantec