Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member Latest Breaking News Editorials & Other Articles General Discussion The DU Lounge All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

Baitball Blogger

(47,766 posts)
Fri Nov 14, 2014, 08:49 PM Nov 2014

Anyone have a quick fix to remove poweliks?

This discussion thread was locked by steve2470 (a host of the Computer Help and Support group).

I was interneting on an old computer and now have the poweliks trojan. Believe I'm using windows 7 and I'm using ESET NOD32 ANtivirus.

What I'm finding on the internet doesn't seem quick or easy.

24 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
Anyone have a quick fix to remove poweliks? (Original Post) Baitball Blogger Nov 2014 OP
Did you try Malwarebytes? MannyGoldstein Nov 2014 #1
I'll give it a shot. Thanks! Baitball Blogger Nov 2014 #2
the virus may be blocking it. hobbit709 Nov 2014 #3
No quick fix, sorry. Earth Bound Misfit Nov 2014 #4
This is what I was experiencing. Baitball Blogger Nov 2014 #5
I would. Earth Bound Misfit Nov 2014 #6
I did the usual things. Baitball Blogger Nov 2014 #7
Trojan.Poweliks Removal Tool Sunlei Nov 2014 #8
Thanks. I might try it on my good laptop just to make sure. Baitball Blogger Nov 2014 #9
***UPDATE*** Earth Bound Misfit Dec 2014 #10
I wish threads like this would be pinned. Baitball Blogger Dec 2014 #11
Yup. Earth Bound Misfit Dec 2014 #12
I will pin this for a while, good idea nt steve2470 Dec 2014 #13
thanks! Baitball Blogger Dec 2014 #14
Message auto-removed Name removed Aug 2015 #18
poweliks - powershell has stopped working glenmarth Jan 2015 #15
Message auto-removed Name removed Feb 2015 #16
remove poweliks? AirSurf May 2015 #17
Eset Node32 is not good Maxbala Sep 2015 #19
Message auto-removed Name removed Dec 2015 #20
useful DivenParker Feb 2016 #21
AUTOMATED MESSAGE: Results of your Jury Service mahatmakanejeeves Feb 2016 #22
Message auto-removed Name removed Feb 2019 #23
Thank you. Bookmarked in case I need it later. Baitball Blogger Feb 2019 #24
 

MannyGoldstein

(34,589 posts)
1. Did you try Malwarebytes?
Sat Nov 15, 2014, 12:15 AM
Nov 2014

Amazing and free.

Baitball Blogger

(47,766 posts)
2. I'll give it a shot. Thanks!
Sat Nov 15, 2014, 12:24 AM
Nov 2014

Oh, if my computer says that my security system doesn't allow a download, does that sound like something I would fix through Window Defender? Or my Antivirus program?

hobbit709

(41,694 posts)
3. the virus may be blocking it.
Sat Nov 15, 2014, 05:58 AM
Nov 2014

Download it to a flash drive on a different computer and then install from the flash drive.
you might have to boot up in Safe Mode With Networking.

Earth Bound Misfit

(3,556 posts)
4. No quick fix, sorry.
Sat Nov 15, 2014, 04:24 PM
Nov 2014

MBAM is a teriffic program (I install it on every one of my machines & recommend it highly) but it alone cannot completely remove this malware. Poweliks is a malware with rootkit-like features, it resides in the registry (loads in memory) is persistent and is not present as a file which can be scanned & removed easily. The payload (malware file) is stored in an encrypted registry value and is loaded at boot time by a RUN key calling rundll32 process with an encrypted javascript payload. It has been seen to reside in (at least) these 2 keys:

HKCU\software\microsoft\windows\currentversion\run\(default)
HKEY_LOCAL_MACHINE\Software\classes\clsid\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32

Once the payload is loaded, it tries to execute an embedded powershell script in "interactive" (silent) mode. That powershell scripts contains another encoded payload which will be injected into a (legitimate) dllhost process (the persistent item), which acts as a trojan downloader for other malware& is also responsible for protecting the registry value by recreating it when removed.

RogueKiller (by French malware analyst Tigzy) claims to be able to remove Poweliks as does ESET Poweliks Cleaner & Malwarebytes Anti Rootkit Beta, links below.

http://www.adlice.com/poweliks-removal-with-roguekiller/
http://kb.eset.com/esetkb/index?page=content&id=SOLN3587
https://blog.malwarebytes.org/security-threat/2014/11/no-more-poweliks/

Me? I'd restore from backup if available or re-install the OS, YMMV.

Some interesting analyses:
https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3377

Baitball Blogger

(47,766 posts)
5. This is what I was experiencing.
Sat Nov 15, 2014, 09:05 PM
Nov 2014

Nothing seemed to work and since I'm dealing with an old and amputated laptop (the only input option is a thumbdrive), I thought it was best to light a candle and give it a decent burial. The virus is preventing me from downloading any programs so I'm dead in the water. But, I'm okay with that because I knew I was on borrowed time with the little relic.

Just as a precaution, should I change passwords? Exactly how effective is it in collecting private info?

Earth Bound Misfit

(3,556 posts)
6. I would.
Sun Nov 16, 2014, 03:48 AM
Nov 2014

I can't give you a definitive answer re: collecting private info but do know that this malware is capable of downloading a smorgasbord of stuff for various nefarious purposes...including collecting private info, passwords, documents...etc.

"Nothing seemed to work"

May I ask what you've tried and also what are the symptoms beside being unable to dl programs?

Baitball Blogger

(47,766 posts)
7. I did the usual things.
Sun Nov 16, 2014, 12:09 PM
Nov 2014

I ran the NSET anti-virus, which I was surprised claimed that the last clean up was a week ago. I was surprised because I kept getting pop-ups from my anti-virus software claiming that it had quarantined-deleted a trojan--and these pop-ups were increasing, with the names changing.

I also did CCleaner and deleted everything that it found out of place. I did this with the registry clean-up which resulted in a permanent pop-up at start-up that claimed I had deleted a program (which definitely sounded Trojan). After that, each time I started the laptop the NSET pop-ups increased claiming that it was deleting Trojans.

Because I could not download a different anti-virus program (since the virus had locked me out) I decided not to stick around to find out if the Trojan was the one sending fraudulent NSET alerts.

Sunlei

(22,651 posts)
8. Trojan.Poweliks Removal Tool
Sun Nov 16, 2014, 12:14 PM
Nov 2014

Norton security free trial
http://us.norton.com/downloads

security search 'poweliks trojan'
http://us.norton.com/search?site=nrtn_en_US&client=norton&q=poweliks+trojan

Trojan.Poweliks Removal Tool
http://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-0511-99


I noticed the Norton site had a removal tool for the Trojan, not sure if the tool will work without Norton antivirus installed, there is a free trial. Good luck, will not be to hard to remove it

Baitball Blogger

(47,766 posts)
9. Thanks. I might try it on my good laptop just to make sure.
Sun Nov 16, 2014, 12:17 PM
Nov 2014

Earth Bound Misfit

(3,556 posts)
10. ***UPDATE***
Wed Dec 10, 2014, 03:49 AM
Dec 2014

Last edited Wed Dec 10, 2014, 01:17 PM - Edit history (2)

FWIW, I was able to (relatively) easily remove Poweliks from a test Win 7 Pro x64 Virtual Machine using a combination of Farbar's Recovery Scan tool, RogueKiller, Eset Services Repair tool & a few others like MBAM. Sorry I didn't reply sooner but I haven't had much time to "play" with malware samples lately until last weekend.

Relevant links:

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3377
http://kb.eset.com/esetkb/index?page=content&id=SOLN3587
http://www.adlice.com/poweliks-removal-with-roguekiller/
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
http://www.bleepingcomputer.com/download/roguekiller/
http://www.bleepingcomputer.com/download/rkill/
http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe <<<Direct DL link ESET Svcs Repair
(The trojan wrecks several windows "defense" services (Security Center, Defender, Windoze Update, Firewall, etc...)

If the above tools still don't remove every trace, then it's time to drop "The Hammer" -- ComboFix
http://www.bleepingcomputer.com/download/combofix/

BC's standard ComboFix disclaimer, Caveat Emptor & all that:

Please note that running this program without supervision can cause your computer to not operate correctly. Therefore only run this program at the request of an experienced helper.


ETA: All the tools/scanners linked above are 100% FREE... if any site demands $$$ for any of these, you're being scammed.

Baitball Blogger

(47,766 posts)
11. I wish threads like this would be pinned.
Wed Dec 10, 2014, 10:19 AM
Dec 2014

But, even fixes become obsolete after a few months.

So, to the bookmarks this will go.

Earth Bound Misfit

(3,556 posts)
12. Yup.
Wed Dec 10, 2014, 12:30 PM
Dec 2014

Unfortunately the white hats are always playing catch-up, with the black hats finding newer vulnerabilities and more devious methods of intrusion & self-defense. The first two places I go to for info/analysis/treatment/cure when a new variant/method emerges:

http://www.kernelmode.info/forum/index.php?sid=1577b7ef7dc61c689e2a7497d60d7897
http://malware.dontneedcoffee.com/

Either or both links may trigger false positive alarms from AV (some zipped malware samples & reference to known threats)... I have to turn off my Avast when visiting Malware don't need Coffee

steve2470

(37,462 posts)
13. I will pin this for a while, good idea nt
Wed Dec 10, 2014, 12:33 PM
Dec 2014

Baitball Blogger

(47,766 posts)
14. thanks!
Wed Dec 10, 2014, 02:28 PM
Dec 2014

Response to Earth Bound Misfit (Reply #10)

glenmarth

(6 posts)
15. poweliks - powershell has stopped working
Mon Jan 5, 2015, 07:57 PM
Jan 2015

I believe, i may have got this after clicking an ad or a post on facebook which appeared to be fake. It made my computer super slow. I followed the steps @ powershell has stopped working and fixed it. Hope it will help you guys as well.

Response to Baitball Blogger (Original post)

AirSurf

(2 posts)
17. remove poweliks?
Sat May 9, 2015, 03:53 AM
May 2015

In case your antivirus is not removing it, try using adwlceaner or malwarebytes. Both are great and free.
I use malarebytes, it helped me recently with roll around ads - http://pcspywareshield.com/guides/roll-around/ (it is not actually a virus and my AVG antivirus do not flag it)

Maxbala

(3 posts)
19. Eset Node32 is not good
Tue Sep 29, 2015, 04:55 AM
Sep 2015

Eset Node32 may not a good antivirus program.
Reinstalling the system can fix the issue completely, but you'd better back up the important files before.

Response to Baitball Blogger (Original post)

DivenParker

(9 posts)
21. useful
Fri Feb 26, 2016, 05:13 AM
Feb 2016

i have got it

mahatmakanejeeves

(60,665 posts)
22. AUTOMATED MESSAGE: Results of your Jury Service
Fri Feb 26, 2016, 09:54 AM
Feb 2016

AUTOMATED MESSAGE: Results of your Jury Service

Mail Message

On Fri Feb 26, 2016, 06:32 AM an alert was sent on the following post:

useful
http://www.democraticunderground.com/?com=view_post&forum=1095&pid=16786

REASON FOR ALERT

This post is disruptive, hurtful, rude, insensitive, over-the-top, or otherwise inappropriate.

ALERTER'S COMMENTS

Looks like a troll--also posted in Cooking & Baking


You served on a randomly-selected Jury of DU members which reviewed this post. The review was completed at Fri Feb 26, 2016, 06:39 AM, and the Jury voted 2-5 to LEAVE IT.

Juror #1 voted to HIDE IT
Explanation: I can't do much in the way of research while I'm on the jury, but the complainant thinks this brand new DUer is a troll. My guess is that he will be a spammer. He is posting on a long dormant thread. I've seen posts like this before and alerted on them. Just to kick this up to a higher level, I'm agreeing with the complainant. - mahatmakanejeeves
Juror #2 voted to LEAVE IT ALONE
Explanation: No explanation given
Juror #3 voted to HIDE IT
Explanation: Hint: don't troll when you're a newbie.
Juror #4 voted to LEAVE IT ALONE
Explanation: ???? Troll or not, I see nothing disruptive. ????
Juror #5 voted to LEAVE IT ALONE
Explanation: I have no idea why this post was flagged
Juror #6 voted to LEAVE IT ALONE
Explanation: No explanation given
Juror #7 voted to LEAVE IT ALONE
Explanation: No explanation given

Thank you very much for participating in our Jury system, and we hope you will be able to participate again in the future.

Response to Baitball Blogger (Original post)

Baitball Blogger

(47,766 posts)
24. Thank you. Bookmarked in case I need it later.
Thu Feb 21, 2019, 10:09 AM
Feb 2019

Welcome to DU.

Latest Discussions»Help & Search»Computer Help and Support»Anyone have a quick fix t...