Infected with Poweliks

[AEITS]

I've been running a few tools mentioned in other threads, but it keeps coming back. They all give a clean bill of health. Here's the FRST.txt and Addition.txt files fro FarBar.

Addition.txt

[AEITS]

Other file

[AEITS]

Third try for FRST.txt

FRST.txt

FRST.txt

[MrCharlie]

Welcome to the forum.

Download Malwarebytes Anti-Rootkit from HERE

Run the file and follow the onscreen instructions to extract it to a location of your choosing (your desktop by default)

Malwarebytes Anti-Rootkit will then open, follow the instruction in the wizard to update and allow the program to scan your computer for threats

Click on the Cleanup button to remove any threats and reboot if prompted to do so

Wait while the system shuts down and the cleanup process is performed

Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process

MrC

[AEITS]

Not sure if this matters, but I'm accessing the PC remotely, and have it configured to only boot to safe mode. I'm logging in as the administrator, not the affected account. That being said, the program keeps finding the same two infections, and cleaning them. They are back after a reboot. I've run it three times with the same result.

Infected: HKU\S-1-5-21-3542812387-3794330035-1786331983-1003_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} --> [Trojan.Poweliks.B]

Infected: HKU\S-1-5-21-3542812387-3794330035-1786331983-1003_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\LOCALSERVER32\^ --> [Trojan.Poweliks]

[MrCharlie]

Run this tool and report back:

http://kb.eset.com/esetkb/index?page=content&id=SOLN3587 <---Poweliks

MrC

[AEITS]

The ESET tool says:

Threat Not Found

You don't have Win/32Poweliks in your system. [Press Any Key]

For what it's worth, the ESET online scanner quit picking it up after the third time it removed it.

The program then closes. I'm running MBAR once again to see if maybe it actually got it on the third try...

No luck. MBAR still finds it.

[MrCharlie]

OK.....

Please re-scan with FRST and Make sure the Addition Box is checked.

Post or attach the 2 logs FRST(64).txt and Addition.txt

MrC

[AEITS]

I'll do ask you ask, but here is what I've experienced in the past using the tool. When I scan from the desktop of the affected user, I get a hit saying it is found. When running in safe mode as the administrator, which I am now, it does not find it.

Here are the examples from before.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-11-2014

Ran by Gary_2 (ATTENTION: The logged in user is not administrator) on GRW7 on 07-11-2014 09:25:12

Running from C:\Users\Gary_2\Desktop

Loaded Profile: Gary_2 (Available profiles: admin & Gary & Gary_2)

Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)

Internet Explorer Version 11

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

... Lots of other stuff ...

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\...\Run: [ivijios] => rundll32 "C:\Users\Gary_2\AppData\Local\ivijios.dll",ivijios <===== ATTENTION

HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\...\Run: [Olfoegbaba] => C:\Users\Gary_2\AppData\Roaming\Paquyru\siami.exe

HKU\S-1-5-21-3542812387-3794330035-1786331983-1003\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!

ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File

ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File

ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-11-2014

Ran by admin (administrator) on GRW7 on 07-11-2014 11:59:27

Running from C:\Users\admin\Desktop

Loaded Profile: admin (Available profiles: admin & Gary & Gary_2)

Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)

Internet Explorer Version 11

Boot Mode: Safe Mode (with Networking)

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

... Lots of other stuff ...

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKU\S-1-5-21-3542812387-3794330035-1786331983-1000\...\Run: [spark] => C:\Program Files (x86)\Spark\Spark.exe [433664 2011-07-01] (Jive Software)

ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File

ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File

ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File

I'll post the log as soon. I have to finish up something first.

[AEITS]

Here are the logs.

FRST.txt

Addition.txt

[MrCharlie]

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

=================================

Make sure you have created that system restore point before you continue!

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)

  

• Put a checkmark beside loaded modules.

  

• A reboot will be needed to apply the changes. Do it.
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
• Then click on Change parameters in TDSSKiller.
• Check all boxes then click OK.

  

• Click the Start Scan button.

  

• The scan should take no longer than 2 minutes.
• If a suspicious object is detected, the default action will be Skip, click on Continue.

  

  Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

  If in doubt about an entry....please ask or choose Skip

• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

  

  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
• Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

New window that comes up.

Then...........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

Last:

Clean out temp files:

Download TFC from here and save it to your desktop.

http://oldtimer.geekstogo.com/TFC.exe

http://www.bleepingcomputer.com/download/tfc/dl/92/

Close any open programs and Internet browsers.

Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.

Please be patient as clearing out temp files may take a while.

Once it completes you may be prompted to restart your computer, please do so.

Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

MrC

[AEITS]

TDSS found nothing. Shall I continue with the other steps?

TDSS.txt

[MrCharlie]

YES!

[MrCharlie]

I'll do ask you ask, but here is what I've experienced in the past using the tool. When I scan from the desktop of the affected user, I get a hit saying it is found. When running in safe mode as the administrator, which I am now, it does not find it.

It was in the logs from FRST and should be gone now.

=============================

Did you run the FRST fix???????

MrC

[AEITS]

I actually have all the logs, but here is the last created by ComboFix. TFC is running now.

ComboFixLog.txt

[AEITS]

I did run FRST first. The TFC program seems to have locked out my remote access, or the virus won.

[MrCharlie]

The TFC program seems to have locked out my remote access

I'm not sure what that means

 

----------------------------------

Delete these two folders:
c:\programdata\TotmOllak
c:\programdata\VajzaVzixo

You may have to enable hidden files to see it:
http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ <--Hidden files W7 Vista

Can you look at this folder: (if it's empty....delete it)
C:\20141024

How is it running now????

MrC

[AEITS]

The TFC program seems to have locked out my remote access

I'm not sure what that means

See message #5 of this thread. I'll see if I can get someone to let me into the building where the PC is, but it's 10:30PM on a Friday night, so I'll probably have to wait until tomorrow to continue.

[MrCharlie]

OK, let me know.

MrC

[AEITS]

OK, I got someone to loan me their keys. I'm at the PC, and it seems to be working correctly. The only thing odd is that there are 13 svchost.exe instances running.

[MrCharlie]

OK, run a scan with your anti-virus program.

======================================

Many svchost.exe running is most likely normal:

http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/

=======================================

If there's no other problems......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get Unsupported operating system. Aborting now, just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• If you can't post it, attach it

MrC

[AEITS]

Checkup didn't find anything. Here's the log.

Results of screen317's Security Check version 0.99.89

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 11

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

ThreatTrack Security VIPRE Business Agent

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

MVPS Hosts File

Adobe Reader XI

Mozilla Firefox (33.0.2)

Mozilla Thunderbird (24.4.0)

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 2%

````````````````````End of Log``````````````````````

The system appears to be clean, but that's what I thought last time. On the third day, the infection returned. Not sure if it was the user, or something I missed. Should know soon enough when the worker returns Monday morning.

Thanks for all the help. I do have one issue regarding the FRST tool. In reading the manual, it says: "Only when the tool is run by a user that has administrator privileges will it work properly." In this case, it only found the infection when I logged on using the infected user's account. It completely missed it when logged on as the administrator. It does't make sense to log in to an know infected account, much less elevate an infected user to admin level. How useful is the tool when used as directed. I ran the tool as administrator on other systems on the network, and didn't get any ATTENTION warning, but I also wasn't logged on as the user either. I wonder how much it may have missed. The current AV program and ESET both missed this infection. I'm just trying to make sure it's not hiding out on the network.

[MrCharlie]

It's always worked well for me, with this infection it's a little different.

You can always run the ESET cleaner on all accounts even in safe mode to check.

---------------------------------

A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<-------)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter. (it may look like CF is re-installing but it's not)

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:

If you used FRST and can't delete the quarantine folder:

Download the fixlist.txt to the same folder as FRST.exe.

Run FRST.exe and click Fix only once and wait

That will delete the quarantine folder created by FRST.

The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[AEITS]

Got combofix and everything else uninstalled.

I don't know if I have a lot of confidence in the ESET tool. When we ran the ESET cleaner, recall that it said that there wasn't an infection. The ESET online AV scanner missed it as well in this case.

The only tool that actually found it was the malwarebytes antirootkit program. Unfortunately, it wasn't able to clean it. I guess I could run MBAR on each PC to see what is found.

Thanks for all the help. Fingers crossed that it doesn't return.

[MrCharlie]

RogueKiller will also spot it and usually will delete it...run on all users.

 

Take Care MrC