Jump to content

Poweliks still infecting after rootkit removal


Tomdee
 Share

Recommended Posts

  • Replies 55
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Sorry for the awfefully long delay.

TvjiHbt.pngGMER
Note: Make sure that all your programs are closed and do not touch your computer while the GMER scan is running.

  • Download gmer.zip and extract it
  • Right-click on gmer.exe from the extracted .zip and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • On execution, a quick scan will be launched automatically. Give it time to complete.
  • If you receive a warning about rootkit activity being detected on your system, click on the No button to decline the full system scan
  • Once done, uncheck these two checkboxes, and leave the rest checked:
    • IAT/EAT
    • Show all
  • Once done, click on the Scan button
  • If you see a window about rootkit activity (again), click on the Ok button
  • After the scan, click on the Save... button to save the GMER log. Save it on your desktop, and name it gmer.txt
  • Now, attach or copy/paste the content of gmer.txt in your next reply

Link to post
Share on other sites

Can you .zip the following file, and attach it here? Also, make sure that MBAR still detects the threat (and do not delete it!) before you do.

C:\Users\ccsadmin\NTUSER.DAT

This file is an hidden system file, so you might need to configure your Windows Explorer to display them.

https://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Link to post
Share on other sites

Looks like the NTUSER.DAT file doesn't have the Classes key. Press on the Windows + R keys to open the Run box, enter regedit and press on Enter. From there, in the left pane, navigate to:

HKU\S-1-5-21-3514624900-2102147923-1103798338-1113_Classes

Click on that key (folder), then click on the File menu and Export.... Change the file type to Registry Hive File and save it on your desktop. Once done, .zip that file and attach it here.

Link to post
Share on other sites

Yes I understood what you were saying. I did a full search and also a manual one and that key does not exist under that user's profile. I wonder if I should check the other users? I'll do it tonight after the client closes and post my findings.

I am a Network admin so I am familiar with the terminology. Normally I very rarely need this kind of assistance as I would have just blown the machine out and reloaded, it but this client has a lot going on, so if I can clean it, I would prefer that to a full wipe!

What a mystery we have here!

Thanks again and Merry Christmas to all!

Tom

Link to post
Share on other sites

I decided to run another scan with MWB and came up with this file 12222017. I also found a previous scan from 12152017 for comparison. I don't understand why this isn't being found in the registry, I wonder if they came up with a way to cloak it??

Are they Klingons maybe??  :-)

MWB Scan 12222017.jpg

MWB Scan 12152017.jpg

Link to post
Share on other sites

  • Staff

This file looks very suspect.

Can you upload to virustotal and provide me the link?

C:\Users\RichS.CCS\Desktop\image2017-11-27-103928.pdf

 

Attached is a fixlist. This should fix the calc and sticknotes issues.

This may also address the mbar detection.

 

Please post the fixlog.txt when done.

fixlist.txt

 

 

 

 

 

Edited by shadowwar
Link to post
Share on other sites

  • Staff

Ok as according to the frst log it had a very close time to the other malware entries.

Are you using a domain admin account? Maybe a local admin acct?

HKU\S-1-5-21-3546775450-2812337103-3271051696-1110-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12222017231920093\...\Run: [Wgnpxhjqxpfhuc] => C:\Users\RICHSI~1.CCS\AppData\Roaming\HG3ey7W\calc.exe [918528 2009-07-13] (Microsoft Corporation) => Error: No automatic fix found for this entry.
HKU\S-1-5-21-3546775450-2812337103-3271051696-1110-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12222017231920093\...\Run: [RESTART_STICKY_NOTES] => C:\Users\RICHSI~1.CCS\AppData\Roaming\ojuIrR\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation) => Error: No automatic fix found for this entry.
HKU\S-1-5-21-3546775450-2812337103-3271051696-1110-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12222017232103389\...\Run: [Wgnpxhjqxpfhuc] => C:\Users\RICHSI~1.CCS\AppData\Roaming\HG3ey7W\calc.exe [918528 2009-07-13] (Microsoft Corporation) => Error: No automatic fix found for this entry.
HKU\S-1-5-21-3546775450-2812337103-3271051696-1110-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12222017232103389\...\Run: [RESTART_STICKY_NOTES] => C:\Users\RICHSI~1.CCS\AppData\Roaming\ojuIrR\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation) => Error: No automatic fix found for this entry.

 

 

Those weren't removed also for some reason.  Those are the reason calculator and sticky notes are starting up.

 

You may want to backup the registry first and then try one of these steps to remove the keys offline.

 

https://www.raymond.cc/blog/how-to-edit-windows-registry-key-values-without-booting-in-windows/

 

 

 

 

Edited by shadowwar
Link to post
Share on other sites

Yes I am using the domain admin account to make the changes as the users are locked down. That's why I don't understand how this infected the registry but the local user does have full control of their domain logon registry...

I'll give the fix above a shot next time I'm onsite which should be Tuesday. Shout I use a boot disk or what do you recommend? I'm at the point where I'm almost ready to blow this out and do a fresh OS install.

Thanks again!!

Link to post
Share on other sites

Ok, I booted from the Hirens Disk and searched the registry for all the keys noted in your post and nothing was found. I also just tried searching for HKU\S-1-5-3514624900 and even just S-1-5-351. Nothing found at all???

Is it possible the MBAR app is not working correctly? I continuously finds the powelliks trojan, but the key is not found when doing a search of the registry?

I am ready to give up and wipe this drive just to be sure, but if you have any other ideas, let me know...

Thanks for your help and I hope everyone has a great New Year!

Tom

 

Link to post
Share on other sites

  • Staff

The only thing i can think of is there are permisions issues on this box interfering with our scan. Especially with not being able to fix the other key in the fixlist with frst.

Afraid wiping it may be the best option. I usually dont give up but being you cant find the keys offline either then something permissions wise has to be up.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.