Solved Notice -System Infected:Trojan Powelik Activity

bmikuls

New Member
Thread author
Verified
Oct 23, 2014
18
PC started issues I described about 5 days ago. Previous to this had experienced occasional BSOD. Please help!
 

Attachments

  • Addition.txt
    16.3 KB · Views: 74
  • FRST.txt
    16.2 KB · Views: 81

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Hello,



They call me TwinHeadedEagle around here, and I'll be working with you.



Before we start please read and note the following:
  • At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
  • Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
  • Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
  • Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  • All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
  • If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
  • I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
  • Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
  • Please attach all report using
    fjqb1h.png
    button below. Doing this, you make it easier for me to analyze and fix your problem.

  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.


Why did you run FRST from Safe Mode?
 

bmikuls

New Member
Thread author
Verified
Oct 23, 2014
18
I ran FRST from Safe Mode because it kept locking up and would not scan in regular mode. Even in safe mode it took overnight, almost 12 hours to complete. Is that an issue?
 

bmikuls

New Member
Thread author
Verified
Oct 23, 2014
18
OK thanks Eagle. Appreciate the help. After reading several other posts I checked and I also have several dllhost.exe taking up system. Obviously since I was getting high usage warning about COM surrogate.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.
 

Attachments

  • fixlist.txt
    1.6 KB · Views: 135

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Very good. How is your PC now?

Let's run one more check:



51a5bf3d99e8a-ComboFixlogo16.png
Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!


Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on
    51a5bf3d99e8a-ComboFixlogo16.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Accept the disclaimer and agree if prompted to install Recovery Console.
  • Do not take any actions while ComboFix goes through your System - it may cause it to stall!
  • This scan may take some time!
  • When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
icon_idea.gif
If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
 

bmikuls

New Member
Thread author
Verified
Oct 23, 2014
18
PC is a little better. Seem to be able to navigate IE and other functions at first pretty quickly. After maybe 10 minutes the dllhost.exe really escalate and I still hear the audible TV shows and commercials on speakers come on. I also start to experience some freezing while navigating. It does boot up pretty quickly now. Also Norton still gives warning of System Infection Trojan Powelik Activity when I first sign on. Downloading ComboFix now. Will follow up with log once complete! Thanks again.
 

bmikuls

New Member
Thread author
Verified
Oct 23, 2014
18
Hey Eagle, I am having a problem with Combofix. Downloaded fine, disabled Norton. It starts up and goes through the establishing restore point process but then stops. According to instructions I should I get a few popups saying I have to click yes to continue but the popups never show up and the scan never starts. It appears once the restore process completes all 11 files combofix just stops running. After some time I checked task manager and the application is not showing up. I deleted it from desktop and tried re-downloading. Same thing happened.
 

bmikuls

New Member
Thread author
Verified
Oct 23, 2014
18
OK I may have spoke too soon. Waited over 30 minutes but now just got a warning from combofix that it was detecting Norton. I made sure autoprotect was off, also turned off smart firewall. Combofix still detected and said to run at own risk. Now it looks like scan is preparing to run....
 

bmikuls

New Member
Thread author
Verified
Oct 23, 2014
18
OK ran combofix see attached. FYI I have no more background TV or radio playing. Still a little freeze going on but moving very quickly compared to before. I do not see any of the dllhost.exe running in task mgr.
 

Attachments

  • combofix.txt
    38.9 KB · Views: 134

bmikuls

New Member
Thread author
Verified
Oct 23, 2014
18
FYI, turned Norton back on. Then rebooted PC. Norton still gave warning that it blocked System Infected Trojan Powelik Activity. And when I rebooted a commercial played over speakers and now music playing. Got excited too quick.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
No problem, let's scan again :)



FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please include their content into your next reply.
 

bmikuls

New Member
Thread author
Verified
Oct 23, 2014
18
Here are logs. Just some observations while trying to run. Got hung up on one file during scan for over hour. I opened task manager and dllhost.exe's were going crazy and taking up 100% of CPU. I closed them all down and scan resumed and then semeed to block dllhosts out because it was using 100% As soon as scan completed I got a Norton warning about Powelik activity. Still had task mgr open and saw Powershell flash on task mgr right as Powelik warning came and then close quickly and then dllhost.exe's started exploding right after Norton warning. Don't know if thats useful.
 

Attachments

  • FRST.txt
    16.8 KB · Views: 114
  • Addition.txt
    16.1 KB · Views: 50

bmikuls

New Member
Thread author
Verified
Oct 23, 2014
18
Cant. Told you in previous post, on bleepingcomputer.com the 32 bit version said file delted or moved. This site enabled me to downlod 32 bit version only.
 

bmikuls

New Member
Thread author
Verified
Oct 23, 2014
18
OK, had to turn off Norton and I was able to download recent version. Scanning now. Thanks
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top