Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Poweliks Null-Character Registry Key


  • This topic is locked This topic is locked
4 replies to this topic

#1 RyanPlegics

RyanPlegics

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 09 September 2014 - 09:34 AM

Need help removing null-character registry entry detected as Rootkit.Poweliks by MBAM

 

FRST.txt identification:

 

InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTION

 

Full FRST.txt log results attached

Attached Files

  • Attached File  FRST.txt   27.63KB   25 downloads


BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 09 September 2014 - 09:50 AM

Hi there,

please try this:


Please download this attached Attached File  fixlist.txt   230bytes   43 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


#3 RyanPlegics

RyanPlegics
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 09 September 2014 - 09:55 AM

That successfully deleted the persistent key.  Much appreciated.  Will re-run scans that detected the rootkit and see if any other traces remain.  Thanks

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 07-09-2014
Ran by CMATTIO_2 at 2014-09-09 10:52:30 Run:4
Running from C:\Documents and Settings\CMATTIO_2\Desktop\farbar
Boot Mode: Safe Mode (with Networking)
 
==============================================
 
Content of fixlist:
*****************
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTION
REG: reg query "HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32" /s
*****************
 
[HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] => Subkey with invalid name deleted successfully.
 
========= reg query "HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32" /s =========
 
 
! REG.EXE VERSION 3.0
 
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32
    <NO NAME> REG_EXPAND_SZ %systemroot%\system32\wbem\wmiprvse.exe
 
 
========= End of Reg: =========
 
 
==== End of Fixlog ====


#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 09 September 2014 - 11:46 AM

Great. You can also run a scan with ESET as a general check up:


Please download the ESET Online Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!

#5 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 PM

Posted 19 September 2014 - 02:52 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users