Powerliks Infection

Rich-M · Dec 1, 2014

From Ken Dwight's Newsletter (the Virus Doctor):

An update on a new category of virus called Poweliks. This has become one of the most widespread pieces of malware in the past two months, and removing it is significantly different from anything we have faced before. Here is my latest update on it:

Click here:Here

starbuck · Dec 1, 2014

He seems a little behind the times with that.

The first solution I distributed involved use of RogueKiller, from Adlice Software. That
procedure was effective, if a bit involved.

I’ve heard, the Farbar Recovery Scan Tool is effective in finding and
removing Poweliks infections. It is also the most
confusing to use (for me, at least!),

We've been using both these for some time now.
Problems reading and understanding the reports will always happen when you try to use tools that you are not familiar with ( or trained in)

ESET offers a free Poweliks removal tool,

If anyone wants instructions:

Please download Powelikscleaner (by ESET) and save it to your Desktop.

Double-click ESETPoweliksCleaner.exe to start the tool.
Read the terms of the End-user license agreement and click Agree if you agree to them.
The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
The tool will produce a log in the same directory the tool was run from.
Please copy and paste the log in your next reply

and the type of report you can expect:

[2014.11.04 19:38:24.612] - Begin
[2014.11.04 19:38:24.612] -
[2014.11.04 19:38:24.612] - ....................................
[2014.11.04 19:38:24.612] - ..::::::::::::::::::....................
[2014.11.04 19:38:24.612] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Win32/Poweliks
[2014.11.04 19:38:24.628] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 1.0.0.1
[2014.11.04 19:38:24.628] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: Oct 15 2014
[2014.11.04 19:38:24.628] - .::EE:::::::::::::SS:.EE..........TT......
[2014.11.04 19:38:24.628] - .::EEEEEE:::SSSSSS::..EEEEEE.....TT..... Copyright (c) ESET, spol. s r.o.
[2014.11.04 19:38:24.628] - ..::::::::::::::::::.................... 1992-2013. All rights reserved.
[2014.11.04 19:38:24.628] - ....................................
[2014.11.04 19:38:24.628] -
[2014.11.04 19:38:24.628] - --------------------------------------------------------------------------------
[2014.11.04 19:38:24.628] -
[2014.11.04 19:38:24.628] - INFO: OS: 6.1.7601 SP1
[2014.11.04 19:38:24.628] - INFO: Product Type: Workstation
[2014.11.04 19:38:24.628] - INFO: WoW64: False
[2014.11.04 19:38:24.628] - INFO: Machine guid: 5F2EDDFD-8FAD-42BF-B824-D1D940424289
[2014.11.04 19:38:24.628] -
[2014.11.04 19:38:24.628] - INFO: Scanning for system infection...
[2014.11.04 19:38:24.628] - --------------------------------------------------------------------------------
[2014.11.04 19:38:24.628] -
[2014.11.04 19:38:24.628] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.04 19:38:24.628] - WARNING: Found infected value [ a] = 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")'
[2014.11.04 19:38:24.628] - WARNING: Found infected value [ a] = 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")'
[2014.11.04 19:38:24.628] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.04 19:38:24.628] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.04 19:38:24.628] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.04 19:38:24.628] - INFO: Processing classes...
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{11CD84A3-A5E0-43CB-B3DF-92C623C0E0E0}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{22756E83-8EBC-4B16-A4A4-0AA73BE497B1}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{2A235D7E-0358-40E2-B51A-DE22F8F5C50D}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{56C94D6A-7370-4885-A04E-7097FE4E0BAF}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{672CDBDB-0270-4EB9-83EC-216377522D21}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{841BFDCA-6A9A-4EBC-BC7E-194AA5DCE428}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{94330D48-EB33-49BB-87F1-AD8C0352C010}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{BE13040F-26A4-4DC4-A537-5C8C1D76FEDD}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{F7CA46A9-ACA5-45A6-967E-03FF5A282D01}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{11CD84A3-A5E0-43CB-B3DF-92C623C0E0E0}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{22756E83-8EBC-4B16-A4A4-0AA73BE497B1}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{2A235D7E-0358-40E2-B51A-DE22F8F5C50D}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{56C94D6A-7370-4885-A04E-7097FE4E0BAF}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{672CDBDB-0270-4EB9-83EC-216377522D21}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{841BFDCA-6A9A-4EBC-BC7E-194AA5DCE428}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{94330D48-EB33-49BB-87F1-AD8C0352C010}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{BE13040F-26A4-4DC4-A537-5C8C1D76FEDD}]
[2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{F7CA46A9-ACA5-45A6-967E-03FF5A282D01}]
[2014.11.04 19:38:24.628] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.04 19:38:24.628] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.04 19:38:24.628] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.04 19:38:24.628] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.04 19:38:24.628] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.04 19:38:24.628] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.04 19:38:24.628] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.04 19:38:24.628] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.04 19:38:24.628] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.04 19:38:24.628] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2014.11.04 19:38:24.628] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.04 19:38:24.628] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.04 19:38:24.628] - INFO: Win32/Poweliks found
[2014.11.04 19:38:28.372] - INFO: process: dllhost.exe, pid 1020, parent 2340
[2014.11.04 19:38:28.372] - INFO: Terminated process pid = 1020
[2014.11.04 19:38:28.372] - INFO: process: dllhost.exe, pid 3588, parent 580
[2014.11.04 19:38:28.372] - INFO: process: dllhost.exe, pid 2128, parent 580
[2014.11.04 19:38:28.372] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.04 19:38:28.372] - INFO: Deleted infected value [ a] = 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")'
[2014.11.04 19:38:28.372] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.04 19:38:28.388] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.04 19:38:28.388] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.04 19:38:28.388] - INFO: Processing classes...
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{11CD84A3-A5E0-43CB-B3DF-92C623C0E0E0}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{22756E83-8EBC-4B16-A4A4-0AA73BE497B1}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{2A235D7E-0358-40E2-B51A-DE22F8F5C50D}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{56C94D6A-7370-4885-A04E-7097FE4E0BAF}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{672CDBDB-0270-4EB9-83EC-216377522D21}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{841BFDCA-6A9A-4EBC-BC7E-194AA5DCE428}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{94330D48-EB33-49BB-87F1-AD8C0352C010}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{BE13040F-26A4-4DC4-A537-5C8C1D76FEDD}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{F7CA46A9-ACA5-45A6-967E-03FF5A282D01}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{11CD84A3-A5E0-43CB-B3DF-92C623C0E0E0}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{22756E83-8EBC-4B16-A4A4-0AA73BE497B1}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{2A235D7E-0358-40E2-B51A-DE22F8F5C50D}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{56C94D6A-7370-4885-A04E-7097FE4E0BAF}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{672CDBDB-0270-4EB9-83EC-216377522D21}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{841BFDCA-6A9A-4EBC-BC7E-194AA5DCE428}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{94330D48-EB33-49BB-87F1-AD8C0352C010}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{BE13040F-26A4-4DC4-A537-5C8C1D76FEDD}]
[2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{F7CA46A9-ACA5-45A6-967E-03FF5A282D01}]
[2014.11.04 19:38:28.388] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.04 19:38:28.388] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.04 19:38:28.388] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.04 19:38:28.388] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.04 19:38:28.388] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.04 19:38:28.388] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.04 19:38:28.388] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.04 19:38:28.388] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.04 19:38:28.388] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.04 19:38:28.388] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2014.11.04 19:38:28.388] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.04 19:38:28.388] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.04 19:38:28.388] - INFO: Cleaning status: 0
[2014.11.04 19:38:30.837] - End

Rich-M · Dec 1, 2014

I honestly cannot figure our Farbar either though Rogue Killer I use all the time....

starbuck · Dec 2, 2014

I honestly cannot figure our Farbar either

Mmm so while you can't understand it.... I get to keep my job. :big_ha:

To be fair, FRST has been around for 4 years now and obviously i have followed the development.
It easier to understand when you follow something from the beginning.... all the changes are gradual.
Coming in now and trying to follow the tutorial is a bit heavy going.

Rich-M · Dec 2, 2014

Yep Pete your job is definitely safe with me!

IceMan37 · Jan 3, 2015

Just ran the poweliks tool no threat found.

Rich-M · Jan 3, 2015

I run that on every system I look at and never find anything there.

starbuck · Jan 4, 2015

In the last 3 months or so, i've only ever come across this infection once.

This has become one of the most widespread pieces of malware in the past two months

I think that quote is a bit of an over statement.

Rich-M · Jan 4, 2015

I'll say. I should check the date on that newsletter as I am not sure it was current. He may have been forwarding some to me to catch up now that I think about it.

Powerliks Infection

Rich-M

Well-Known Member

starbuck

Malware Removal Specialist - Administrator

Rich-M

Well-Known Member

starbuck

Malware Removal Specialist - Administrator

Rich-M

Well-Known Member

IceMan37

Active Member

Rich-M

Well-Known Member

starbuck

Malware Removal Specialist - Administrator

Rich-M

Well-Known Member