Anyone have a quick fix to remove poweliks?
This discussion thread was locked by steve2470 (a host of the Computer Help and Support group).
I was interneting on an old computer and now have the poweliks trojan. Believe I'm using windows 7 and I'm using ESET NOD32 ANtivirus.
What I'm finding on the internet doesn't seem quick or easy.
MannyGoldstein
(34,589 posts)Amazing and free.
Baitball Blogger
(48,042 posts)Oh, if my computer says that my security system doesn't allow a download, does that sound like something I would fix through Window Defender? Or my Antivirus program?
hobbit709
(41,694 posts)Download it to a flash drive on a different computer and then install from the flash drive.
you might have to boot up in Safe Mode With Networking.
Earth Bound Misfit
(3,556 posts)MBAM is a teriffic program (I install it on every one of my machines & recommend it highly) but it alone cannot completely remove this malware. Poweliks is a malware with rootkit-like features, it resides in the registry (loads in memory) is persistent and is not present as a file which can be scanned & removed easily. The payload (malware file) is stored in an encrypted registry value and is loaded at boot time by a RUN key calling rundll32 process with an encrypted javascript payload. It has been seen to reside in (at least) these 2 keys:
HKCU\software\microsoft\windows\currentversion\run\(default)
HKEY_LOCAL_MACHINE\Software\classes\clsid\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32
Once the payload is loaded, it tries to execute an embedded powershell script in "interactive" (silent) mode. That powershell scripts contains another encoded payload which will be injected into a (legitimate) dllhost process (the persistent item), which acts as a trojan downloader for other malware& is also responsible for protecting the registry value by recreating it when removed.
RogueKiller (by French malware analyst Tigzy) claims to be able to remove Poweliks as does ESET Poweliks Cleaner & Malwarebytes Anti Rootkit Beta, links below.
http://www.adlice.com/poweliks-removal-with-roguekiller/
http://kb.eset.com/esetkb/index?page=content&id=SOLN3587
https://blog.malwarebytes.org/security-threat/2014/11/no-more-poweliks/
Me? I'd restore from backup if available or re-install the OS, YMMV.
Some interesting analyses:
https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3377
Baitball Blogger
(48,042 posts)Nothing seemed to work and since I'm dealing with an old and amputated laptop (the only input option is a thumbdrive), I thought it was best to light a candle and give it a decent burial. The virus is preventing me from downloading any programs so I'm dead in the water. But, I'm okay with that because I knew I was on borrowed time with the little relic.
Just as a precaution, should I change passwords? Exactly how effective is it in collecting private info?
Earth Bound Misfit
(3,556 posts)I can't give you a definitive answer re: collecting private info but do know that this malware is capable of downloading a smorgasbord of stuff for various nefarious purposes...including collecting private info, passwords, documents...etc.
"Nothing seemed to work"
May I ask what you've tried and also what are the symptoms beside being unable to dl programs?
Baitball Blogger
(48,042 posts)I ran the NSET anti-virus, which I was surprised claimed that the last clean up was a week ago. I was surprised because I kept getting pop-ups from my anti-virus software claiming that it had quarantined-deleted a trojan--and these pop-ups were increasing, with the names changing.
I also did CCleaner and deleted everything that it found out of place. I did this with the registry clean-up which resulted in a permanent pop-up at start-up that claimed I had deleted a program (which definitely sounded Trojan). After that, each time I started the laptop the NSET pop-ups increased claiming that it was deleting Trojans.
Because I could not download a different anti-virus program (since the virus had locked me out) I decided not to stick around to find out if the Trojan was the one sending fraudulent NSET alerts.
Sunlei
(22,651 posts)Norton security free trial
http://us.norton.com/downloads
security search 'poweliks trojan'
http://us.norton.com/search?site=nrtn_en_US&client=norton&q=poweliks+trojan
Trojan.Poweliks Removal Tool
http://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-0511-99
I noticed the Norton site had a removal tool for the Trojan, not sure if the tool will work without Norton antivirus installed, there is a free trial. Good luck, will not be to hard to remove it
Baitball Blogger
(48,042 posts)Earth Bound Misfit
(3,556 posts)Last edited Wed Dec 10, 2014, 01:17 PM - Edit history (2)
FWIW, I was able to (relatively) easily remove Poweliks from a test Win 7 Pro x64 Virtual Machine using a combination of Farbar's Recovery Scan tool, RogueKiller, Eset Services Repair tool & a few others like MBAM. Sorry I didn't reply sooner but I haven't had much time to "play" with malware samples lately until last weekend.
Relevant links:
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3377
http://kb.eset.com/esetkb/index?page=content&id=SOLN3587
http://www.adlice.com/poweliks-removal-with-roguekiller/
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
http://www.bleepingcomputer.com/download/roguekiller/
http://www.bleepingcomputer.com/download/rkill/
http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe <<<Direct DL link ESET Svcs Repair
(The trojan wrecks several windows "defense" services (Security Center, Defender, Windoze Update, Firewall, etc...)
If the above tools still don't remove every trace, then it's time to drop "The Hammer" -- ComboFix
http://www.bleepingcomputer.com/download/combofix/
BC's standard ComboFix disclaimer, Caveat Emptor & all that:
Please note that running this program without supervision can cause your computer to not operate correctly. Therefore only run this program at the request of an experienced helper.
ETA: All the tools/scanners linked above are 100% FREE... if any site demands $$$ for any of these, you're being scammed.
Baitball Blogger
(48,042 posts)But, even fixes become obsolete after a few months.
So, to the bookmarks this will go.
Earth Bound Misfit
(3,556 posts)Unfortunately the white hats are always playing catch-up, with the black hats finding newer vulnerabilities and more devious methods of intrusion & self-defense. The first two places I go to for info/analysis/treatment/cure when a new variant/method emerges:
http://www.kernelmode.info/forum/index.php?sid=1577b7ef7dc61c689e2a7497d60d7897
http://malware.dontneedcoffee.com/
Either or both links may trigger false positive alarms from AV (some zipped malware samples & reference to known threats)... I have to turn off my Avast when visiting Malware don't need Coffee
steve2470
(37,468 posts)Baitball Blogger
(48,042 posts)Response to Earth Bound Misfit (Reply #10)
Name removed Message auto-removed
glenmarth
(6 posts)I believe, i may have got this after clicking an ad or a post on facebook which appeared to be fake. It made my computer super slow. I followed the steps @ powershell has stopped working and fixed it. Hope it will help you guys as well.
Response to Baitball Blogger (Original post)
Name removed Message auto-removed
AirSurf
(2 posts)In case your antivirus is not removing it, try using adwlceaner or malwarebytes. Both are great and free.
I use malarebytes, it helped me recently with roll around ads - http://pcspywareshield.com/guides/roll-around/ (it is not actually a virus and my AVG antivirus do not flag it)
Maxbala
(3 posts)Eset Node32 may not a good antivirus program.
Reinstalling the system can fix the issue completely, but you'd better back up the important files before.
Response to Baitball Blogger (Original post)
Name removed Message auto-removed
DivenParker
(9 posts)i have got it
mahatmakanejeeves
(60,945 posts)AUTOMATED MESSAGE: Results of your Jury Service
Mail Message
On Fri Feb 26, 2016, 06:32 AM an alert was sent on the following post:
useful
http://www.democraticunderground.com/?com=view_post&forum=1095&pid=16786
REASON FOR ALERT
This post is disruptive, hurtful, rude, insensitive, over-the-top, or otherwise inappropriate.
ALERTER'S COMMENTS
Looks like a troll--also posted in Cooking & Baking
You served on a randomly-selected Jury of DU members which reviewed this post. The review was completed at Fri Feb 26, 2016, 06:39 AM, and the Jury voted 2-5 to LEAVE IT.
Juror #1 voted to HIDE IT
Explanation: I can't do much in the way of research while I'm on the jury, but the complainant thinks this brand new DUer is a troll. My guess is that he will be a spammer. He is posting on a long dormant thread. I've seen posts like this before and alerted on them. Just to kick this up to a higher level, I'm agreeing with the complainant. - mahatmakanejeeves
Juror #2 voted to LEAVE IT ALONE
Explanation: No explanation given
Juror #3 voted to HIDE IT
Explanation: Hint: don't troll when you're a newbie.
Juror #4 voted to LEAVE IT ALONE
Explanation: ???? Troll or not, I see nothing disruptive. ????
Juror #5 voted to LEAVE IT ALONE
Explanation: I have no idea why this post was flagged
Juror #6 voted to LEAVE IT ALONE
Explanation: No explanation given
Juror #7 voted to LEAVE IT ALONE
Explanation: No explanation given
Thank you very much for participating in our Jury system, and we hope you will be able to participate again in the future.
Response to Baitball Blogger (Original post)
Name removed Message auto-removed
Baitball Blogger
(48,042 posts)Welcome to DU.