Jump to content

infected by poweliks


Recommended Posts

Please help. My computer has been infected by poweliks. Every time I run Malwarebytes scan I get two registry keys that show up as infected by rootkit.poweliks (detected item rootkit.poweliks -HKLM\SOFTWARE\CLASSES\CLSID\{73E709EA-.......). It identifies this every time, these are deleted and then I reboot; it comes back with the it again.

I have attached the scan log. alos attached are the scan logs from Farbar recovery Scan tool. Appreciate any help.8_20.txtFRST.txtAddition.txt

Link to post
Share on other sites

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll be working with you.
 
    
 
    
Before we start please read and note the following:

  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

:excl: I can't foresee everything, so if anything unexpected happens, please stop and inform me!
:excl: There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
  warning.gif Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 
 
 
 
May I ask why did you run ComboFix tool even after million of warnings this tool shouldn't be run without supervision? I would like to see ComboFix report located at C:\
 
 
 
 
FRST.gif Fix with Farbar Recovery Scan Tool
 


icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

fixlist.txt

Link to post
Share on other sites

I googled and have read number of articles/forums on poweliks. Number of tools have been suggested (including some by office IT) and I have ran them. I didn't realize that combofix shouldn't be run without supervision.

Combfox log and log from fixlist (fixlog.txt) are attached. 

Please advise.

 

FYI - This is my personal laptop. I am not connecting it to internet except for downloading the latest updates to Malwarebytes. Every time I connect to internet - CPU utilization shoots up (to almost 100%) and I can see iexplore.exe running taking up huge system resources. This may not be useful just thought will mention it.

 

Thanks

ComboFix.txtFixlog.txt

Link to post
Share on other sites

Thanks.

When I run the MalwareBytes nothing is detected. I did notice that when I connect the machine to internet, CPU utilization shoots up - multiple instances of iexplore.exe show up in task manager even though I do not have internet explorer open.

Any thoughts? Just not sure if all malware  has been cleaned up from the machine.

Link to post
Share on other sites

I connected the machine to internet (at work) and have captured some screen shots (in the attached documents). These are of the task manager (before connecting to internet and after connecting to internet). AVG identified malicious file -I captured that screen shot and ipconifig results ( ip address to the machine appears little different ; I am not an expert on this just captured it in case it is helpful).

When connected to internet I tried installing firefox and it didn't work (installer kept running for hours and nothing got installed). I tried to open internet explorer and that didn't open.

 

I disconnected from internet, tried to logoff; got a message to forcefully close iexplorer.exe. After forcefully shutting down iexplorer.exe, was able to start internet explorer.  connect to internet and trying to install a different browser (chrome now). Sorry for the long story but feel like the machine is not behaving normally. After connecting to internet the second time, I ran FRST and have attached the log.

Please look at the screen shots and FRST log; if you see anything unusual please let me know. Appreciate your help.

FRST.txttask mgr.doc

Link to post
Share on other sites

Mukeshka,

 

     Thank you for posting up detailed information about the issue you are experiencing. I too am seeing the same thing on a clients computer.

 

I responded to a call about a Win 7 desktop that not only is idling at 97% CPU utilization, but is consuming all available memory. Additionally, the local NIC is between 15-30% network utilization and the user had not even launched a browser.

Once onsite, I was able to confirm exactly this and noticed iexplorer.exe was the process responsible for all of this. I could end the process to free up system resources but just like that it was back, using high memory and climbing until no more was available.

 

I ran the latest version of mbam, downloaded off a separate computer, and it found 24 registry keys infected and over a hundred 'WhiteSmoke' files from users\appdata directory. 

 

Even after cleaning, the problem still persisted. The difference now is that the issue is ONLY apparent when the network cable is connected... Once I disconnect and end iexplorer.exe process, the problem goes away until the next second I reconnect. I even tried ipconfig /release but that didn't seem to help.

 

The newest thing I noticed was multiple popups in the lower right-hand corner from walwarebytes stating "Blocked. Domain: etc (flyclick.biz was one i remember) IP address: etc. Outbound. Port: 58123 (Multiple different ports) 

I've tried to ping the ip and run tracert but they are blocked instantly by malwarebytes and the only results i am getting back is local 127.0.0.1

Link to post
Share on other sites

Hello Twinheadeagle - please advise. It appears another member (RyRyTech) is experiencing something similar.

This morning I connected the machine to internet and CPU utilization shot up. multiple instances of iexplore.exe sprang up, cpu utilization shot up. As I was trying to kill one of the iexplore process, internet explorer sprang up and almost took over the whole screen (screen shot atached). website sultan-search.com showed up. I disconnected from the network immediately and was able to run kill the iexplorer process. Ran Malwarebytes but that didn't detect anything. 

I ran FRST and have attached the log.

Thank you.Iexplorer.docFRST.txt

Link to post
Share on other sites

@RyRyTech
 
Please open your own topic.
 
 
 
PC seems clean. Let's run one more tool.
 
 
 
 
adwcleaner_new.png Fix with AdwCleaner
 
Please download AdwCleaner by Xplode and save the file to your desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow the prompts and click Scan.
  • When finished, please click Clean.
  • Upon completion, click Report. A log (AdwCleaner[s*].txt) will open.

Please include the contents of that file in your reply.

Link to post
Share on other sites

I ran ADW, It identifies two things in browsers (Chrome and FireFox - I had firefox on the machine earlier but IO uninstalled it last week when I thought the machine was infected with malware). When I click on the option to clean, the process is completed about 60% and then ADW just closes. I did this twice and it has identified the two things in the browser and ADW aborted both times.

Please advise . (word document attached has screen shots from  ADW and the log files are attached).ADW.docAdwCleanerS4.txtAdwCleanerS5.txtAdwCleanerS6.txt

Link to post
Share on other sites

There is still some trace of malware somewhere - I connected to internet to get the updates on malwarebytes. iexplorer.exe was back. I disconnect the wireless by turning off the switch on the side of the computer - wireless icon still stays intact in try. instead of the wireless network it shows as being connected to 'access point' - I know it is not connected on wireless as the switch is turned off. 

The other thing that I noticed is when the malware gets active after all these scans etc, for a couple of seconds the task bar at the bottom turns white (instead of the blue standard). I am running malware bytes now and will share the log.

Do you suggest I run FRST and/or ADW too?

Thanks

Link to post
Share on other sites

Do you know that you did have presence of CryptoLocker infection?
 
 
FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.
 
 
 
 
 
warning.gif Windows XP end of support warning!

As 8th of April 2014 has passed, this Operating System is not longer supported by the Microsoft
Any patches, updates or security releases are ceased for this System.


This is just an information for you if not aware.
My recommendation would be to start thinking about replacing it with some newer edition, like Windows Vista, Windows 7 or Windows 8.

 

 

 

 

There is still some trace of malware somewhere - I connected to internet to get the updates on malwarebytes. iexplorer.exe was back.

 

 

iexplorer.exe is Internet Explorer legitimate process, you do not need to worry about.

 

 

I disconnect the wireless by turning off the switch on the side of the computer - wireless icon still stays intact in try. instead of the wireless network it shows as being connected to 'access point' - I know it is not connected on wireless as the switch is turned off. 

 

You're using outdated operating system and it cannot always work as it should. There are probably a lot of bugs that never got fixed. This cannot be instant, some time needs to pass before this happens. It is normal.

fixlist.txt

Link to post
Share on other sites

Fixlog.txtI realize on XP; just not sure how to go about i.

I ran the fixlist and the result log is attached. 

There is a process that keeps trying to access the internet - 'work offline' window pops up when I boot. iexplore.exe process comes up in multiple instances when I connect to internet, even though I do not have internet explorer open. One or sometimes two instances of iexplorer.exe start to take away all system resources - CPU utilization shoots up to almost 100%.

Thanks

Link to post
Share on other sites

Good. We will make new scan:
 
 
 
51a5bf3d99e8a-ComboFixlogo16.png Scan with ComboFix
 
This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!

 
Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on 51a5bf3d99e8a-ComboFixlogo16.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the disclaimer and agree if prompted to install Recovery Console.
  • Do not take any actions while ComboFix goes through your System - it may cause it to stall!
  • This scan may take some time!
  • When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
icon_idea.gif If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

Link to post
Share on other sites

Very good :)

We need one fix with ComboFix :)
 
 
 
51a5bf3d99e8a-ComboFixlogo16.png Fix with ComboFix
 
Let's prepare a Script for ComboFix to mark some things for being deleted.

  • Press the WindowsKey.png + R on your keyboard at the same time.
  • A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
  • In the shown window paste in the following script:
    File::c:\windows\system32\drivers\mrasxbu.sysc:\windows\system32\drivers\bwmdaet.sysc:\windows\system32\drivers\amsdm.sysc:\docume~1\arora\LOCALS~1\Temp\mfe_rr.sys Registry::[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000000"FirewallOverride"=dword:00000000[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000000[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 1[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5985:TCP"=- Driver::MFE_RR RegLock::[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (LocalSystem)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,8d,06,3e,0b,a8,02,44,bf,2c,2a,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,8d,06,3e,0b,a8,02,44,bf,2c,2a,\
  • Go to File menu and select Save as.
  • Make sure that the Save as type option is set to Text files (*.txt) and the place to save will be your desktop.
  • Name the file CFScript and select Save.

Your CFScript.txt file should appear on your desktop.
 
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Now drag your CFScript file and drop it onto the 51a5bf3d99e8a-ComboFixlogo16.png icon.
  • This will start ComboFix. Let it run uninterrupted!
  • A reboot may be needed during this run. Allow it.
  • When finished, it shall produce a log for you at C:\ComboFix.txt and display it.

Please include that log in your next reply.
 
icon_idea.gif If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
icon_idea.gif Do not forget to turn on your previously switched-off protection software!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.