Jump to content

I believe I'm Powelik infected!

Recommended Posts

Hello, as others I'm getting the malicious website blocked from MBAM.


One of the pop ups refers to the fff5ee.com stuff mentioned numerous times here.


Before I left town on 17; I updated to the newest MBAM the night before.  I had the same issues of enabling the vicious website monitoring as others. A reinstall fixed that issue.


I have the premium version of MBAM. Scans showed normal. Also use ESET 7.x all scan normal.


Upon returning from trip lasdt night, had numerous Malicious website pop-ups about every 2 se. Looking at task mgr, had approx. 15 dllhost.exe running.


I updated all files on MBAM and ESET.  Ran full scans of both programs, including the boot sectors and root sectors.   Nothing found!.


talking to GF, she mentioned going to the skinny recipe site to copy a new recipe.  She had a pop up window from Norton AV saying infected, click here to close.


I believe that is how this bugger got on this machine.


At anyrate, I get the pop up of the fff5ee.com.  Right now I'm only getting one pop up, last night it was several.


I believe I need assistance to eradicate this guy. Thank You.




Link to post
Share on other sites

Hello and post-32477-1261866970.gif


P2P/Piracy Warning:


If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.


Download Farbar Recovery Scan Tool and save it to your desktop.


Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.





Link to post
Share on other sites

Thanks for the logs, continue as follows:


Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.


Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.




Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.



Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.


When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.



In most cases, a restart will be required.



Wait for the prompt to restart the computer to appear, then click on Yes.



Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.




Download AdwCleaner by Xplode onto your Desktop.

Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button.
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number




thisisujrt.gif Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts. (re-enable when done)
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.




Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:


64 Bit version:



Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window

In the "Scan Type" window, select Quick Scan

Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:


1) Select the Windows key and R key together to open the "Run" function

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:


notepad c:\windows\debug\mrt.log


Let me see those logs in your next reply, also give an update on any remaining issues or concerns....







Link to post
Share on other sites

Hello Kevin, follows is my mrt.log file.


Looks like we are successful so far.


Thank You so much for your assistance.


My remaining concerns:


I use ESET 7.x and MBAM Premium. Keep up to date all the time. Scan consistently.


Why wasn't this blocked before the fact. I thought that is what these programs do...protect you from this stuff.


What can I do settings etc. on either program to protect me better if possible.


I AM glad the programs precluded any more damage, just concerned it happened in the first place.


Should I be concerned about my personal info being compromised?


Thank You again, for your valuable time and assistance.





Link to post
Share on other sites

Read the following link to understand how this infection works/exploits systems:




There is always the possibility that personal information may have been harvested, it is recommended that all passwords used on your system are changed at your earliest convenience when we are sure your system is clean.


We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:


Run Eset Online Scanner


**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin.


(To run ESET Online Scanner in a browser other than Internet Explorer, you'll need to download ESET SMART  Installer during the process)


Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the following options are checked:
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish


When the scan is complete


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found


If threats were found


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish


close program


Copy and paste the report in next reply.





Link to post
Share on other sites

ESET log is of no concern, only 2 entries to be aware of:




Those installers do come bundled with ASK Toolbar, if used to install the program make sure to untick the option for that nuisance toolbar. Do not use the default setting to install, select "advanced" or similar if offered and untick the unwanted extras....




Download "Delfix by Xplode" and save it to your desktop.


Or use the following if first link is down:


"Delfix link mirror"


Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator


Make Sure the following items are checked:


    Activate UAC
    Remove disinfection tools
     Create registry backup
    Purge System Restore
    Reset system settings


Now click on "Run" and wait patiently until the tool has completed.


The tool will create a log when it has completed. We don't need you to post this.


Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:




When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

Any remnant files/logs from tools we have used can be deleted…




Read the following link to fully understand PC security and best practices, you may find it useful....




Also read at the following link regarding poweliks infection:




If no remaining issues or concerns are we ok to close out.


Thank you,



Link to post
Share on other sites

Hello Kevin. I just had a window pop up that asked if I wanted to debug this page.


I closed the window. I have never seen that one before.


BTW: Why do I still get these pop ups, if I have the blockers enabled? 


Again, I thought MBAM and ESET were supposed to prevent this.    Am I missing a setting somewhere?


Thanks again for all your assistance.  Late here, gonna catch some shuteye.




Link to post
Share on other sites

Which browser are you using when you get the alert?



I just had a window pop up that asked if I wanted to debug this page.


Which popup do you refer to, do you mean the debugging one



BTW: Why do I still get these pop ups, if I have the blockers enabled?


Do you refer to the Poweliks infection with the following quote?



Again, I thought MBAM and ESET were supposed to prevent this.    Am I missing a setting somewhere?


Please read the information I gave previously for Poweliks infection, that will give a generalized explanation regarding why this new exploit is not yet identified and stopped at root cause. I give a brief quot from that link:



A new 'fileless' malware that lives and works entirely out of your computer system's registry has been detected by security experts.

The latest infection is termed Poweliks malware by G Data Software, whose security researchers are credited with having detected the stealthy software.

According to G Data engineers, Poweliks malware cannot be easily detected by traditional methods, as it does not create/install files within the hard-drive of the host Windows systems.

Upon infecting the host system, Poweliks exploits a vulnerability in Microsoft Word, with the assistance of another specially designed malicious Word file that transmits via email.

Poweliks is designed to create a new registry key at every system boot-up, using a non-ASCII charecter to create the name.

This registry key runs the genuine Windows rundll32.exe application, which is used to launch functionality stored within shared .dll files.

Generally, rundll.exe is not recognised as a threat by Windows, and is considered a valid executable file.


Malwarebytes does block outbound calls to hidden servers used by the writers of this nasty infection, this alert also makes you aware that your system has an issue that needs attention.

I`m sure security firms who provide system security applications such as "ESET" will catch up and prevent such exploits, Microsoft also need to issue an update to patch the "Word" exploit being used.

Unfortunately malware writers will always be one step ahead, when a new infection is stopped a new one will be released to continue the never ending circle.....



Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.