Poweliks Infection

[MaximusTX]

Hello.  I have been infected with the Poweliks please help.

[LiquidTension]

Hello MaximusTX, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. 
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

• Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
• Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
• Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.
• Please backup important documents before proceeding with my instructions.
• If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.
• Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
• Ensure you are following this topic. Click  at the top of the page. 
   

======================================================

 

STEP 1
 Farbar Recovery Scan Tool (FRST) Scan

• Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
• Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
• Right-Click FRST.exe / FRST64.exe and select  Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
   

STEP 2
 TDSSKiller Scan

• Please download TDSSKiller and save the file to your Desktop.
• Right-Click TDSSKiller.exe and select  Run as administrator to run the programme.
• Click Change parameters. Place a checkmark next to Detect TDLFS file system and Verify file digital signatures.
• ​Click Start Scan. Do not use the computer during the scan.
• If objects are found, change the action to skip.
• Click Continue and close the window.
• A log will be created and saved to the root directory (usually C:\). Attach the file in your next reply. 
   

======================================================
 
STEP 3
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• FRST.txt
• Addition.txt
• TDSSKiller log (attached)

[MaximusTX]

Here are the txt files

FRST.txt

Addition.txt

[MaximusTX]

Here is TDS log

TDSSKiller.3.0.0.40_18.10.2014_23.15.23_log.txt

[LiquidTension]

Unfortunately, your computer is infected with a rootkit. As such, I must issue the following warning. Please let me know how you wish to proceed. 

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal critical system, financial and personal information.

Please disconnect your computer from the internet immediately. If your computer was used for online banking, has credit card information or other sensitive data,using a non-infected computer/device you should immediately change all account information (including those used for banking, email, eBay, paypal, online forums, etc). Consider these accounts already compromised.

Banking and credit card institutions should be notified of the possible security breach immediately. Please read the following for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Whilst the identified infection(s) can be removed, there is no way to guarantee that your computer will be trustworthy again. This is due to the nature of the infection, which allows the attacker complete control over the computer. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat the hard drive and reinstall the Operating System. Please read the following articles for more information.

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

Please let me know how you wish to proceed, and if you have any questions.

[MaximusTX]

My apologies.  I tried to copy and paste but was unable.  So I sent the files.

[MaximusTX]

I understand.  I have changed passwords and I am ready to proceed.

[MaximusTX]

BTW.  I had to disable Norton Virus protection to download Farbar Tool.  It said it was infected with WS Reputation1.

[LiquidTension]

Hello, 
 

BTW.  I had to disable Norton Virus protection to download Farbar Tool.  It said it was infected with WS Reputation1.

This is a false-positive, and can be safely ignored. 

 

Norton must also be disabled whilst running ComboFix. 

 

STEP 1
 ComboFix

• Note: Please read through these instructions before running ComboFix. 
• Please download ComboFix and save the file to your Desktop. << Important!
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Right-Click ComboFix.exe and select  Run as administrator to run the programme.
• Follow the prompts. 
   
• Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
• Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
• Re-enable your anti-virus software.
   

Important Notes:

• Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
• Do NOT use your computer whilst ComboFix is running.
• Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.
   
• If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
• ComboFix will disconnect your machine from the Internet as soon as it starts.
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If you are unable to access the Internet after running ComboFix, please reboot your computer. 
   

STEP 2
 Farbar Recovery Scan Tool (FRST) Scan

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
   

======================================================

STEP 3
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• ComboFix.txt
• FRST.txt
• Addition.txt

[MaximusTX]

Here is ComboFix and FRST txts

ComboFix.txt

FRST.txt

Addition.txt

[LiquidTension]

MaxiumusTX, 

 

Is that the full ComboFix log? It's incomplete. 

Please check. 

[MaximusTX]

I'll rerun.  I think Norton came back on

[LiquidTension]

OK. Let me know how you get on. 

[MaximusTX]

Here are ComboFix and FRST again

ComboFix.txt

FRST.txt

Addition.txt

[LiquidTension]

Hello, 

 

Please consider the following warnings, and proceed with the instructions below.
 

Registry Cleaner Warning
 
------------------------------
 
I see you have registry cleaner software (Wise Registry Cleaner 8.23) installed on your computer. Registry cleaners and optimization tools that claim to speed up your computer should be avoided, and are potentially dangerous. By running a registry cleaner you are risk rendering your machine unbootable. There is no statistical evidence to back claims that cleaning the registry will improve performance. Advertisements to do so are borderline scams intended to goad users into using an unnecessary and potential dangerous product.

• Some registry cleaners employ aggressive cleaning routines that may cause substantial damage to your system, and could render your machine unbootable.
• Not all registry cleaners backup the registry. When modifying the registry, one should always create a backup.
• The usefulness of cleaning one's registry is disputable; there is no statistical evidence to support the claim that cleaning the registry will improve system performance. 

Please refer to the following article on why you should not use registry cleaner software. I suggest reading why Microsoft does not support the use of registry cleaners as well.

 

Spybot S&D No Longer Recommended

------------------------------

MVPS.org is no longer recommending Spybot S&D due to poor testing results (scroll down and read under Freeware Antispyware Products).

I would strongly advise uninstalling Spybot S&D. The presence of this programme can make the cleaning of your computer more difficult. You can uninstall the programme by:

• Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.
• Search for Spybot, right-click the entry and click Uninstall.

Please inform me of your decision.

 

 

Did you install the following Firefox extensions?

• FF Extension: WBE Paste
• FF Extension: Starfield Zoom

 
STEP 1
 Uninstall Software

• Press the Windows Key  + r on your keyboard at the same time. Type appwiz.cpl and click OK.
• Search for the following programmes, right-click and click Uninstall.
• Note: Ensure you decline offers of additional software if applicable.
  • Spybot - Search & Destroy
  • Wise PC 1stAid 1.35
  • Wise Registry Cleaner 8.23
  • Yahoo! Toolbar 
• Follow the prompts.
• Reboot if necessary.
   

STEP 2
 Farbar Recovery Scan Tool (FRST) Script

• Press the Windows Key  + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  startHKU\S-1-5-21-4185530137-3615135834-1674662940-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - DefaultScope value is missing.SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = SearchScopes: HKCU - {AE927076-6E8B-4E85-B166-B5295ED6AFDC} URL = SearchScopes: HKCU - {DBF98313-4A9D-4969-B9D5-5D5B3D5BB783} URL = BHO: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} ->  No FileBHO-x32: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} ->  No FileBHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} ->  No FileToolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No FileToolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No FileHandler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No FileHKU\S-1-5-21-4185530137-3615135834-1674662940-1000\Software\Classes\exefile:  <===== ATTENTION!Folder: C:\Users\dub_cm_autoreg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdAwareTray" /fCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetCMD: bitsadmin /reset /allusersEmptyTemp:end

• Click File, Save As and type fixlist.txt as the File Name. 
• Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
   

STEP 3
 AdwCleaner

• Please download AdwCleaner and save the file to your Desktop.
• Right-Click AdwCleaner.exe and select  Run as administrator to run the programme.
• Follow the prompts. 
• Click Scan. 
• Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
• Ensure anything you know to be legitimate does not have a checkmark, and click Clean. 
• Follow the prompts and allow your computer to reboot. 
• After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 

STEP 4
 Junkware Removal Tool (JRT)

• Please download Junkware Removal Tool and save the file to your Desktop.
• Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Right-Click JRT.exe and select  Run as administrator to run the programme.
• Follow the prompts and allow the scan to run uninterrupted. 
• Upon completion, a log (JRT.txt) will open on your desktop.
• Re-enable your anti-virus software.
• Copy the contents of JRT.txt and paste in your next reply.
   

======================================================

STEP 5
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Did you install the FF extensions?
• Did the programmes uninstall OK?
• Fixlog.txt
• AdwCleaner[s0].txt
• JRT.txt

[MaximusTX]

I didn't install any Firefox extensions.  I have deleted: SPYBOT, WISE  PC 1st Aid, WISE Registry Cleaner and Yahoo Toolbar.  Rebooted and will follow remaining.

[MaximusTX]

Here are the txt files.

Fixlog.txt

AdwCleanerS4.txt

JRT.txt

[LiquidTension]

Good job.

How is your computer performing? Are there any outstanding issues?

[MaximusTX]

I don't see any COM Surrogate in services.  But there are 2 iexplorers (iexplorer and iexplorer *32). Is that normal?  Other than that it seems fine.

[MaximusTX]

I've done a little reading on this new viral attack.  Obviously it's very sneaky.  What steps are there to prevent it from re-occurring since it bypasses the protections that are currently in place, if any?

[LiquidTension]

Yes, that's normal.

I'm heading out now, but will return with instructions later. We need to check for remants/confirm the machine appears clean, update your vulnerable software and remove the tools we've used.

At the end of this process I will provide information on the infection, common infection vectors and how you can reduce the risk of reinfection.

[MaximusTX]

Ok.

[LiquidTension]

Hello, 

 

Lets check for remnants and confirm your machine appears free of malware. 

 

STEP 1
 Malwarebytes Anti-Malware (MBAM)

• Please download the updated Malwarebytes Anti-Malware to your Desktop. 
• Double-click mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme. 
• Launch the programme and click Update.
• Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
• Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
• Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• Click Copy to Clipboard and paste the log in your next reply. 
   

STEP 2
 ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

• Please download ESET Online Scan and save the file to your Desktop.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Double-click esetsmartinstaller_enu.exe to run the programme. 
• Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
• Agree to the Terms of Use once more and click Start. Allow components to download.
• Place a checkmark next to Enable detection of potentially unwanted applications.
• Click Hide advanced settings. Place a checkmark next to:
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• Ensure Remove found threats is unchecked.
• Click Start.
• Wait for the scan to finish. Please be patient as this can take some time.
• Upon completion, click . If no threats were found, skip the next two bullet points. 
• Click  and save the file to your Desktop, naming it something unique such as MyEsetScan.
• Push the Back button.
• Place a checkmark next to  and click .
• Re-enable your anti-virus software.
• Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 3
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. 

• MBAM Scan log
• ESET Online Scan log

[MaximusTX]

Here is the MBAM txt log.  I ran the ESET scan.  No threats were found.  Apparently I did something wrong because I don't know where the log was generated.

Malwarebytes.txt

[MaximusTX]

I think I found it. I also think I need to re-run it to create a new log.