Jump to content

SysWOW64/Powelik Malware


fizzics
 Share

Recommended Posts

Hello.  I'm getting alerts from MBAM full version that it's blocking attempts by C:/Windows/SysWOW64/dllhost.exe to access IP addresses. 

 

I've run complete scans with MBAM, McAfee AV, Spy Hunter and removed the threats they've found.  However, the alerts from MBAM continue.

 

FRST file is attached.  Thank you in advance for your assistance!

 

FRST.txt

Link to post
Share on other sites

Hello Fizzics,

 

This pc is showing a Poweliks infection.  It can be removed.  And it may take a few passes.  So please have patience.

**Next, exit Malwarebytes Anti-Malware ( MBAM ) if it is running real-time protection. You can do so via the notification area icon (blue-color) on the Windows Taskbar. Right click on the ![MBAM icon](http://goo.gl/7V2NBS) , and select Exit.**
![MBAM icon](https://s3.amazonaws.com/uploads.hipchat.com/109452/1036742/ySaDRIONYdpi02M/mbam%20context%20menu.png)


Please download Malwarebytes Anti-Rootkit (MBAR)  and save it to your desktop,
from here   
http://downloads.malwarebytes.org/file/mbar/


•Doubleclick on the **MBAR-1.08.0.1001.exe** file you downloaded and approve the UAC prompt in  Windows 7, Vista or Windows 8, 8.1 and newer Windows systems.

•Click **OK** on the next screen, to allow the package to extract the contents of the file to its own folder, mbar.
•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
•After reading the Introduction, click '**Next**' if you agree.
•On the Update Database screen, click on the '**Update**' button.  <<<---  **that is important** !

•Once you see 'Success: Database was successfully updated' click on 'Next'.
•Click the '**Scan**' button.

With some infections, you may see two messages boxes.
  1.'Could not load protection driver'. Click 'OK'.
  2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

When the Scan has completed, click the '**CleanUp**' button and allow the reboot if prompted.

Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain.



Then, please send the following logs as attachments to your reply. These logs are located in the mbar folder on your desktop where the tool extracted itself to.

mbar-log-2014-11- 16 (xx-xx-xx).txt (where xx-xx(xx-xx-xx) is the date and time of the scan)
+ also
system-log.txt

I need to have both of those files attached in your next reply.  Thanks.  
There will be more to do later.

Link to post
Share on other sites

How is the system now?

The malicious sites IP block messages should now be a thing of the past.

Do you remember ---before this infection first showed up, What website were you on or did you happen to open some document sent to you by Email ?

I notice this system has these Java runtimes --- Java 6 is way out of date. The current release is Java 8 update 25.

Java 7 Update 71

Java 6 Update 27

The Poweliks infection is a example of a mis-use of java scripting. You should really consider removing and turning off all of your java. Unless you have a installed application from a 3rd-party that must have Java to function.

Java vulnerabilities are a never ending occurence. Bottom line is, if your system does not have an installed 3rd-party application that needs it, then unistall it.

If you do have that dependency, then turn off Java in your browsers.

If somehow, you have a often-used website that needs Java to display all information, then just use a specific browser and only allow Java in that one.

A: If you decide to keep Java:

The Java runtime components are typically located at

C:\Program Files (x86)\Java\jre7\bin

Locate "javacpl.exe" the Java control panel.

Right click and select Open

Click on the Update tab

Put a checkmark at "Check for updates automatically"

On the General tab, under Temporary Internet Files, click the Settings button.

Next, click on the Delete Files button

Checkmark (select) all boxes you can & Click OK on Delete Temporary Files Window.

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

Click OK to leave the Temporary Files Window

Click on the Advanced tab

Expand Miscellaneous:

Un-check "place Java icon in system tray"

Un-check "Java quick starter"

Exit/close

You need to remove older versions of Java runtime. Do this:

Download & Save to your Desktop or a new folder http://sourceforge.net/projects/javara/files/javara/JavaRa/JavaRa.zip/download

Extract the contents of the zip file. Then double click Javara.exe to run it.

JavaRa is a simple tool that does a simple job: it removes old and redundant versions of the Java Runtime Environment (JRE).

B: If you want to disable Java in your browser:

How to disable Java in various browsers : http://blog.eset.com/2012/08/29/disabling-java-a-safer-way-to-browse

Also see No, Seriously, Just Disable Java in Your Browser Right Now

http://www.slate.com/blogs/future_tense/2013/01/14/java_zero_day_exploit_don_t_patch_just_disable_java_in_your_browser.html

As noted by Brian Krebs,

"Most consumers can get by without Java installed, or least not plugged into the browser. Because of the prevalence of threats targeting Java installations, I’d urge these users to remove Java or unplug it from the browser. If this is too much trouble, consider adopting a dual-browser approach, keeping Java unplugged from your main browser, and plugged in to a secondary browser that you only use to visit sites that require the plugin."

Also see How to protect your computer against dangerous Java Applets

http://blogs.technet.com/b/mmpc/archive/2013/04/16/how-to-protect-your-computer-against-dangerous-java-applets.aspx

Link to post
Share on other sites

The Malwarebytes systray warnings are continuing to show.

 

This is my wife's machine, not mine. I'm not sure which all web sites she visited before the infection or whether she opened an attachment.  She's out of town today but I will ask her when she returns.

 

I hear you on the Java vulnerabilities.  I know my wife uses some 3rd party applications that require Java, so I configured Java per your instructions to automatically update, unchecked place Java icon in the systray, etc.

 

I attempted to remove the Java 6 Update 27, both through the Uninstall Programs module and using the JavaRa tool you linked to.  Neither worked, so I simply deleted the C:\Program Files (x86)\Java\jre6 folder. 

 

So....what should I do now?  Thanks.

Link to post
Share on other sites

These steps are for member fizzics only. If you are a casual viewer, do NOT try this on your system!

If you are not and have a similar problem, do NOT post here; start your own topic

Please do this next:

Download ComboFix from here and save it to your desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

You can get help on disabling your protection programs here:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html

Double click on ComboFix.exe & follow the prompts.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you, **C:\ComboFix.txt**. Attach that log in your next reply.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Allright,  That got rid of 4 rogue dlls.  How is the system now ?

 

Next, do this:

Please download and SAVE RogueKiller 64 bit to your desktop from this next link
http://www.adlice.com/softs/roguekiller/RogueKillerX64.exe

Quit all running programs.

Do a right-click on the roguekiller64.exe , select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Please attach the report which should be located on your desktop:   RKreport[1].txt

 

 

NEXT do as much as you can of each of these cleanup procedures:

Download and Save to the Desktop "Flash Cookie Killer" from http://fstaal01.home.xs4all.nl/downloads/flushflash.exe
Double click FlushFlash.exe to start
Check "Everything but Adobe Site Settings"
click "Make it so!" button
Close Flushflash

Now go to the Adobe Flash Player Settings Manager at http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
The Settings Manager that you see now in your browser is not an image; it is the actual Settings Manager.
In the "Website Storage Settings" choose the "Delete All Sites" tab then "Confirm"

Next in the "Global Storage Settings"  ( 2nd tab icon in the bar shown )
uncheck "Allow third-party Flash content to store on your computer"

Finally in the "Global Privacy Settings" ( 1st tab icon in the bar shown )
choose "Always Deny" then "Confirm".

When completed, close the webpage.

Link to post
Share on other sites

I ran MBAR from the guest account as you'd instructed.  The log is attached.  I then ran MBAR again, and it found no items with the subsequent scan.

 

Recall that this is not the behavior I saw when running the tool from the main account...even after cleaning the found items before, it continued finding items.  This seems like a good thing!

mbar-log-2014-11-22 (14-12-05).txt

Link to post
Share on other sites

Hello,

 

You had sent me a Rkill log, which is not what I had suggested.   I had suggesting running Roguekiller   and afterwards sending me the report from that, named RKreport[1].txt.

 

 

The MBAR run did find a Poweliks  and should have removed it after a system reboot.

From what I noticed, it appears that the infection was in the account for **guest**.

That is the one that should be run under.

Log out of all user accounts.   Log in with guest.   and do a new run with the MBAR tool.

 

And also, tell me, How is the system now?

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.