Author Topic: ==> Poweliks [Unique Thread] <==  (Read 6254 times)

0 Members and 1 Guest are viewing this topic.

October 31, 2014, 08:49:07 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 750
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
==> Poweliks [Unique Thread] <==
« on: October 31, 2014, 08:49:07 am »
Hello
Many people are infected with this one these days.

The original infection page is here: http://www.adlice.com/poweliks-removal-with-roguekiller/
Here's the way to get rid of it:

- Download Process Explorer and RogueKiller
- Start RogueKiller, do the Prescan and the Scan. It must detect the registry keys/values related to Poweliks.
- Launch Process Explorer with admin rights (right click, start in admin), and kill tree on the parent dllhost process
- Do the removal.
- Reboot immediately

EDIT: Some users reported it's easier in Safe Mode.
« Last Edit: November 02, 2014, 11:50:07 pm by Tigzy »

Reply #1December 18, 2014, 01:52:32 am

YardGnome

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ==> Poweliks [Unique Thread] <==
« Reply #1 on: December 18, 2014, 01:52:32 am »
I believe RogueKiller detected this on my PC, and downloaded Process Explorer. Could you please clarify "kill tree on the parent dllhost process"? I just want to make sure I don't do something disasterous before I start killing things. Thanks!

RogueKiller V10.1.0.0 [Dec 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Brian [Administrator]
Mode : Scan -- Date : 12/17/2014  18:34:52

Processes : 1
[Tr.Poweliks] dllhost.exe -- C:\Windows\syswow64\dllhost.exe[7] -> Killed [TermProc]

Registry : 10
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} -> Found
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-686228774-1821032008-7804734-1001\Software\Microsoft\Windows\CurrentVersion\Run | Adobe CSS5.1 Manager : C:\Users\Brian\AppData\Local\c328614d-0645-451d-ba82-519523af4dddad\cddbaafdddad.exe  -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-686228774-1821032008-7804734-1001\Software\Microsoft\Windows\CurrentVersion\Run | Adobe CSS5.1 Manager : C:\Users\Brian\AppData\Local\c328614d-0645-451d-ba82-519523af4dddad\cddbaafdddad.exe  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-686228774-1821032008-7804734-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://google.com/  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-686228774-1821032008-7804734-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://google.com/  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-686228774-1821032008-7804734-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Found

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Not loaded [0xc000036b])

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 019032a5d55f605b7904f9675c731f54
[BSP] 2639019de8c0c11e7085f151397df712 : Acer MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12288 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 25167872 | Size: 100 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 25372672 | Size: 941479 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] 8bc0bfc4645e5b16307ddc608a22aed6
[BSP] cbeebcd0282ec66729e961018aaa893c : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2:  +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3:  +++++
Error reading User MBR! ([15] The device is not ready. )
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4:  +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5:  +++++
Error reading User MBR! ([15] The device is not ready. )
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6:  +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


Reply #2December 18, 2014, 03:55:09 am

YardGnome

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: ==> Poweliks [Unique Thread] <==
« Reply #2 on: December 18, 2014, 03:55:09 am »
Disregard, I figured it out, thanks

Reply #3December 19, 2014, 03:53:51 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 750
  • Reputation:
    90
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: ==> Poweliks [Unique Thread] <==
« Reply #3 on: December 19, 2014, 03:53:51 pm »
You can't do anything harmful by killing process anyway.
You don't touch the file, only the RAM (memory), which is cleared out after a reboot anyway.

Kill tree in process explorer is like taking the top most process (the parent item), and kill tree with a right click. That will kill all the child processes in the same action.