Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help with Trojan.AdClicker and Trojan.Powelik


  • Please log in to reply
10 replies to this topic

#1 DMcClure

DMcClure

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 06 November 2014 - 12:14 AM

I have been infected with Powelik for a few days and Norton 360 cannot kill it. I tried to disable my antivirus to download ESETPoweliksCleaner but I get a windows error saying my settings do not allow this file to be downloaded. Please advise.



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,254 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:12 PM

Posted 06 November 2014 - 06:13 AM

Try using Rkill. If you are successful in running a scan with it, do not reboot the computer. Try to download the Eset Poweliks Cleaner again.

If that doesn't work, then try downloading Eset to a flash drive using a different computer and then moving it to the infected computer.

 

RKill Download   (read what it does and doesn't do.)


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 DMcClure

DMcClure
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 06 November 2014 - 11:12 AM

I can't download RKILL either. I get the same windows security alert message "Your current Security settings do not allow this file to be downloaded." I've read other messages from people infected with this thing that it resets internet settings. Is there a way around it, or do I have to have someone download RKILL and ESET and email them to me?



#4 buddy215

buddy215

  • Moderator
  • 13,254 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:12 PM

Posted 06 November 2014 - 11:30 AM

There are several different named downloads for Rkill....did you try more than one?

I doubt you will be able to receive thru email .exe's. I think most email clients these days block those.

Better to try flash drive or other external media.

 

You could try booting into safe mode with networking and attempt downloads.

 

EDIT: Any chance you might have a Linux LIVE CD?


Edited by buddy215, 06 November 2014 - 11:39 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 DMcClure

DMcClure
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 06 November 2014 - 12:38 PM

Got a buddy to put RKILL and ESETS on a flash drive for me.

 

I ran both. It told me Poweliks was removed.

 

Is that it? The computer is running much smoother, but is there a way I can be sure? 



#6 buddy215

buddy215

  • Moderator
  • 13,254 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:12 PM

Posted 06 November 2014 - 12:45 PM

Great....good job well done!

 

There's been a few here at BC who have used the Eset program and it was successful and confirmed.

 

I would suggest running some programs to remove adware/ malware that often accompanies the Poweliks.

 

  • download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars...especially Yahoo.

CCleaner - PC Optimization and Cleaning - Free Download

 

 

Download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

ESET SCAN

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 DMcClure

DMcClure
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 06 November 2014 - 06:18 PM

Still seems like there are some suspicious processes running (a dozen instances of hyedtskfcpa.exe running for Google Chrome? What's that about?), but the eset scanner hasn't finished yet, so I guess we'll see. Here's the Adwcleaner text:

 

# AdwCleaner v3.311 - Report created 06/11/2014 at 13:13:57
# Updated 30/09/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Daniel - DANIEL-PC
# Running from : C:\Users\Daniel\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\Program Files (x86)\File Type Assistant
Folder Deleted : C:\Users\Daniel\AppData\Local\FileTypeAssistant
Folder Deleted : C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
[!] Folder Deleted : C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk

***** [ Scheduled Tasks ] *****

Task Deleted : ProgramRefresh-ATFST
Task Deleted : ProgramUpdateCheck

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Key Deleted : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Bitberry
Key Deleted : HKCU\Software\FileTypeAssistant
Key Deleted : HKCU\Software\SocialBit
Key Deleted : HKCU\Software\AppDataLow\Software\CompeteInc
Key Deleted : HKLM\SOFTWARE\CompeteInc
Key Deleted : HKLM\SOFTWARE\InstallIQ
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trusted Software Assistant_is1

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17344

-\\ Google Chrome v38.0.2125.111

[ File : C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [3234 octets] - [06/11/2014 13:05:54]
AdwCleaner[S0].txt - [2737 octets] - [06/11/2014 13:13:57]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2797 octets] ##########


And the JRT...

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.6 (11.05.2014:1)
OS: Windows 7 Home Premium x64
Ran by Daniel on Thu 11/06/2014 at 13:53:21.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\best buy pc app

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\best buy pc app"
Successfully deleted: [Folder] "C:\Users\Daniel\appdata\local\best buy pc app"
Successfully deleted: [Empty Folder] C:\Users\Daniel\appdata\local\{18006614-A2CD-43F8-BC2E-CC333E86B307}
Successfully deleted: [Empty Folder] C:\Users\Daniel\appdata\local\{2D4EBA8C-9EBA-4A28-B29C-625E3CA43A77}
Successfully deleted: [Empty Folder] C:\Users\Daniel\appdata\local\{31EC4F29-A3D9-49D1-AC2D-9EDE4F3A8D9B}
Successfully deleted: [Empty Folder] C:\Users\Daniel\appdata\local\{D7234D5C-C665-4A90-8675-B7417EAAA148}
Successfully deleted: [Empty Folder] C:\Users\Daniel\appdata\local\{DA683509-1B30-4B19-9C6F-98E2E15EBEC5}
Successfully deleted: [Empty Folder] C:\Users\Daniel\appdata\local\{E3AF4482-0C01-48D8-B65B-BB96F5315549}

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 11/06/2014 at 13:56:35.79
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#8 DMcClure

DMcClure
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 06 November 2014 - 07:41 PM

************************************************************************

 

 

 

How long is this eset scan supposed to take? It finished searching the files after 4 hours and the progress bar says 100%, but the page is stuck on Step 3 of 4 and the status still says "Scanning" and the target is "operating memory." The clock has stopped running, too. It's been stuck like that for two hours. Do I stop it?



#9 buddy215

buddy215

  • Moderator
  • 13,254 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:12 PM

Posted 06 November 2014 - 08:29 PM

Sounds like it is froze. Not good. Stop it and see if it will give a report.

 

Try running the Eset Powelik scan again. Let me know if it finds Powelik again.

 

I think it best to start a new topic.

Repair will require use of tools not allowed in this forum. It will also require expertise in removal of the malware.

 

Start a new topic after creating a DDS log by following instruction #6 found here: Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help - Virus, Trojan, Spyware, and Malware Removal Logs

 

Post the DDS log along with a description of the problem in the Virus, Trojan, Spyware, and Malware Removal Logs Forum - BleepingComputer.com

 

Do not bump your topic once it is posted. Wait for a response. It could be a few days.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 DMcClure

DMcClure
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 06 November 2014 - 08:40 PM

Hmmmm. I clicked "STOP" and it proceeded normally to STEP 4 and claimed it was done. I followed the remaining steps. Below is the txt file generated. I also ran Powelik scan again and found nothing. I've still got those suspicious looking processes, but I guess I'll start a new topic if I notice any further bad system behavior. Right now all seems quiet and smooth. Thanks for the help!

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\File Type Assistant\ftacfg.exe.vir Win32/FileTypeAssistant.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\File Type Assistant\TSASetup.exe.vir a variant of Win32/FileTypeAssistant.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\File Type Assistant\tsassist.exe.vir a variant of Win32/FileTypeAssistant.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\File Type Assistant\temp\~tmp.exe.vir a variant of Win32/FileTypeAssistant.A potentially unwanted application deleted - quarantined
C:\Users\Daniel\AppData\Local\inXile entertainment\Txxbmdqvxwux.dll a variant of Win32/Kryptik.CPNG trojan cleaned by deleting - quarantined
C:\Users\Daniel\AppData\Local\Microsoft Games\Txxbmdqvxwux.dll a variant of Win32/Kryptik.CPNG trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\Daniel\Downloads\fl_setup.exe a variant of Win32/AdWare.iBryte.BJ application cleaned by deleting - quarantined
Operating memory multiple threats 
 



#11 buddy215

buddy215

  • Moderator
  • 13,254 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:12 PM

Posted 09 November 2014 - 08:40 PM

I see you haven't started a new topic.

I also see some real nasty malware was found and removed by Eset...Kryptik.CPNG

 

Some Kryptik type malware create back doors on your computer allowing them complete access 

to the internet. Some attempt to collect sensitive info to access bank accounts, etc. and then attempt to

transmit that info to criminals by using the created back doors.

 

I really think it would be wise to change all passwords to banking, CC accounts, etc. using another clean computer.

It would be a good idea to post a new topic to get some assurance that your computer is clean. But I know that

no one will tell you that it is 100% free of any damage caused by this malware.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users