Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Poweliks??


  • This topic is locked This topic is locked
3 replies to this topic

#1 idssteve

idssteve

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 26 February 2015 - 09:31 AM

ESET Poweliks Cleaner finds poweliks on my system.  After permitting the cleaner to clean and reboot, a re-run of ESET cleaner returns no infection. 

 

THEN... While running RogueKiller, MSE pops up warning msg and checking MSE history shows "Behavior:Win32/Powessere.D" as quarantined but not removed. 

 

THEN... RogueKiller disappears before creating a log file. 

 

THEN... ESET Poweliks Cleaner finds poweliks back on my system again.

 

Is this for real?  Or some kind of three way strange interaction false pos? lol 

 

Pretty sure i picked this up on my new SSD by stupidly downloading a weather gadget.  Have formatted, zerowiped, partitioned and cloned from original drive.  Old original drive does NOT exhibit this behavior.  The format and clone seemed to kill the behavior until about ¼ way thru a backup when MSE popped up a warning msg and now the behavior has returned. 

 

Half tempted to just buy a new SSD but 1T SSDs are EXPENSIVE… ;)

 

Thanks in advance for any help.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:50 PM

Posted 03 March 2015 - 09:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

HKU\S-1-5-18\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.exe - Shortcut.lnk
GroupPolicyUsers\S-1-5-21-3752240456-3176704981-1733824420-1003\User: Group Policy restriction detected <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled No File
S1 CBUL32; System32\drivers\CBUL32.SYS [X]
S2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [X]
S4 LMIRfsClientNP; No ImagePath
S1 SASDIFSV; \??\C:\Users\CF30ST~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [X]
S1 SASKUTIL; \??\C:\Users\CF30ST~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [X]
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\ProgramData\TEMP:5C785D62

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#3 idssteve

idssteve
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 03 March 2015 - 10:02 AM

Thank you Nasdaq for your time but this machine has since ceased to boot and i've diverted my attention to my "backup" laptop.  Sorry i forgot about posting on this.  I do plan to get this machine running again as time permits in a couple weeks and then will want to continue resolving this issue. 

 

Feel free to close this for now and i'll repost later.

 

Thanks again. 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:50 PM

Posted 03 March 2015 - 02:25 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users