News:

It appears that the upgrade forces a login and many, many of you have forgotten your passwords and didn't set up any reminders. Contact me directly through helpmelogin@dodgecharger.com and I'll help sort it out.

Main Menu

PC Gurus: Powelik Virus

Started by TexasStroker, November 04, 2014, 04:49:56 PM

Previous topic - Next topic

TexasStroker

Has anyone successfully removed this thing?

I got it on my home desktop and have been unable to get rid of it...Norton will detect it and delete it...then Power Eraser sometimes detects and cans it...Yet every time it seems to be gone, I go back online and within a few minutes her the fan ramping up, check the task manager, and see the dllhost.exe x8 or so crippling performance.  Eventually it just shuts down.

I am currently removing it and staying offline to use the computer, but that really doesn't work well in the modern world...Especially since I have videos to upload.

None of my antivirus stuff gets it, the malicious software removal tool can't detect it, and every time I think it is "gone" I turn out to be wrong.

If anyone has dealt with this and successfully killed the virus, please let me know.  Thanks!
Founder, Amarillo Area Mopars
www.amarilloareamopars.com
Founder, Lone Star Mopars
www.lonestarmopars.com
Will set-up a regional Charger meet
Contact me for info!

68X426


I'm no computer guru, but I did sleep at a Holiday Inn last night.  :icon_smile_cool:

This worked for my case of PowerLik: Kaspersky.

Kaspersky sells lots of programs, but I used the free trial available on-line.  Sorry, I don't have the exact name of the one I used, but it's a 30 day free trial, you download the whole program to the hard drive.  It found that virus and it eliminated it for good.  It's on the work computer and I'm at home now.  I'll post the name when I get in tomorrow.

Hope it works for you.




The 12 Scariest Words in the English Language:
We are Here from The Government and
We Want to Help You.

1968 Plymouth Road Runner, Hemi and much more
2013 Dodge Challenger RT, Hemi, Plum Crazy
2014 Ram 4x4 Hemi, Deep Cherry Pearl
1968 Dodge Charger, 318, not much else
1958 Dodge Pick Up, 383, loud
1966 Dodge Van, /6, slow

TexasStroker

Thanks for the insights...My AV (Norton) will detect it, remove it, and then say I'm in the clear...Then I go back online and the thing reinstalls itself, which means the malicious files are still in place.

The forum activity on Norton and Microsoft's end is laughable at best...they kind of acknowledge it and then direct you to a 3rd party site of your choice (ie a total stranger).  It blows my mind why they don't acknowledge it and simply state they are working on a solution.

I may try what worked for you...Thanks again.
Founder, Amarillo Area Mopars
www.amarilloareamopars.com
Founder, Lone Star Mopars
www.lonestarmopars.com
Will set-up a regional Charger meet
Contact me for info!

polywideblock

another vote for Kaspersky    :2thumbs:  been using their internet security(premium pc protection ) for about 2 years( came loaded as trial  on desktop ) now and have  had  nothing   :yesnod:


  and 71 GA4  383 magnum  SE

sunfire69

The problem is that this creates a registry entry that you will never find and every time you hit the internet it goes out and re installs itself. Because of that it's a tough one to clean....Kaspersky has been writing cleaning tools for a very long time and is some of the best out there, his free ware stuff is great but can be complicated and you have to follow his instructions carefully..if it can be cleaned he has the tools to do it....I have used the free versing of AVG for more than 10 years and have had virtually no problems...Hackers write their stuff to get around Norton and MaCafee...but usually ignore AVG because it's use is not widespread....

TexasStroker

Quote from: sunfire69 on November 05, 2014, 07:34:08 AM
The problem is that this creates a registry entry that you will never find and every time you hit the internet it goes out and re installs itself. Because of that it's a tough one to clean....Kaspersky has been writing cleaning tools for a very long time and is some of the best out there, his free ware stuff is great but can be complicated and you have to follow his instructions carefully..if it can be cleaned he has the tools to do it....I have used the free versing of AVG for more than 10 years and have had virtually no problems...Hackers write their stuff to get around Norton and MaCafee...but usually ignore AVG because it's use is not widespread....

Yep, this is the exact issue.  The root file remains in tact as it is passed off as a legit windows operation...Once I reconnect to the net and give it some time the dllhost.exe is filling up the task manager and consuming all the processor has.

I use to run Avast, but then the last few years we picked up Norton for work and it had extra uses left so I have been running it.

I'll look into some more options tonight at home.
Founder, Amarillo Area Mopars
www.amarilloareamopars.com
Founder, Lone Star Mopars
www.lonestarmopars.com
Will set-up a regional Charger meet
Contact me for info!

Charger_Dart

Sometimes these processes get in the browser itself. I worked on a neighbor's laptop last week where this was the case. The system ran fine until you launched the Google Chrome web browser and then the system was trashed. The only way I found to keep the system clean was to uninstall Chrome clean the system and re-install it. If the issue is with IE, maybe try using Chrome of Firefox instead to see if it goes away. Since IE is so integrated with Windows it can be a real hassle to fix and may not be worth the effort -   
68 Charger R/T & 68 Dart GT Convertible

68X426



The 12 Scariest Words in the English Language:
We are Here from The Government and
We Want to Help You.

1968 Plymouth Road Runner, Hemi and much more
2013 Dodge Challenger RT, Hemi, Plum Crazy
2014 Ram 4x4 Hemi, Deep Cherry Pearl
1968 Dodge Charger, 318, not much else
1958 Dodge Pick Up, 383, loud
1966 Dodge Van, /6, slow

myk

Whenever I run across a system with a virus that deeply imbedded in its system I just reformat the whole thing.  I couldn't figure out Kapersky or some of the more complicated malware killers anyway...

TexasStroker

About 5 AM with my registry files open and about to be modified, I did one last search and came across a really nice software called Rogue Killer.  It isolated powelik AND removed the registry keys, which it uses to reinstall itself etc.

Hats off to Adlice crew for making Rogue Killer and quickly updating it to remove this virus.  Most annoying one I have had to date.

Thanks to everyone for the help and suggestions...I got in around 7 and started trying pretty much everything short of buying a new tower...The last attempt seemed to have done the trick.  I'm still going to let it sit online tonight and just browse a few sites and make sure it is gone, but testing last night indicated that was the case!
Founder, Amarillo Area Mopars
www.amarilloareamopars.com
Founder, Lone Star Mopars
www.lonestarmopars.com
Will set-up a regional Charger meet
Contact me for info!

BananaDan

This bug, like most bugs, adware and other annoying software (RealVideo, Java, Adobe Reader, I can go on and on....) rely on the Run keys in the Windows registry to launch their processes at logon or at boot.  As the owner of a Windows computer, you should regularly check these keys to see what has deposited itself there and decide if it should be there or if you even want it there.  Even legitimate software can put values in these registry keys that don't *have* to be there.  Any software maker can decide to load up processes that you don't *need* and you can typically safely remove them.  If you are unsure, I would avoid making changes or ask someone.  Any processes in these keys will also add to your startup time, logon time and consume resources that could lead to slower system performance.  

There are two sets of Run keys.  One set launches processes at boot and the other at user logon.

Boot Run Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run  (values are persistent, unless they are removed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce (values are removed after they execute once - viruses have used these in the past so check here too!)

User Logon Run Key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (values are persistent, unless they are removed)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce (values are removed after they execute once - viruses have used these in the past so check here too!)

Think of it as routine maintenance like checking the color of your spark plug tips or changing your oil.  If you aren't familiar or comfortable with editing the registry, you can use a tool built into the OS called MSCONFIG.  See here how that works:

http://www.wikihow.com/Alter-Startup-Programs-in-Windows-XP  (Ignore the XP reference.  MSCONFIG has remained largely un-changed in Windows for years.)


Specific to this bug you had on your system, it seems to create these keys, which is how it was re-installing itself every time you logged onto your PC.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"(default)" = "[ENCRYPTED JAVASCRIPT]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[NON-ASCII STRING]" = "rundll32.exe javascript:\"\..\mshtml,RunHTMLApplication \";document.write(\"\74script language=jscript.encode\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\software\\microsoft\\windows\\currentversion\\run\\\")+\"\74/script\")"

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27775

Oh, and I did not stay in a Holiday Inn Express last night.  I do this for a living.  :)

p.s.- Kaspersky is a solid choice for an AV/security product.  Typically I would say to avoid whatever crap a PC company bundles on your PC when you buy it, but in this instance your PC maker made a good decision.
*This post brought to you by Carl's Jr.®*



Great spirits have always encountered violent opposition from mediocre minds. The mediocre mind is incapable of understanding the man who refuses to bow blindly to conventional prejudices and chooses instead to express his opinions courageously and honestly.  ~A. Einstein

PlainfieldCharger

I have been fighting this one for about 2 weeks. I have Norton and it would keep coming back. Found this thread and downloaded and installed the Kapersky and it is gone!! Chargers, computers, friends, knowledge, this site has it all!! :2thumbs:

polywideblock

  p.s.- Kaspersky is a solid choice for an AV/security product.  Typically I would say to avoid whatever crap a PC company bundles on your PC when you buy it, but in this instance your PC maker made a good decision.


   el-chepo from ALDI supermarket (median)  came with lots of crap I'll never use but was great value  :yesnod:


  and 71 GA4  383 magnum  SE

TexasStroker

Looks like BananaDan hit it on the head...

I tried Kaspersky as suggested here and on others, but it came up clean...maybe I caught it after a Norton cleanse or something.  Rogue Killer is what did the trick for me...great software that I will be keeping on the machine and running at least weekly (although I am now in the habit of scanning somewhat constantly, lol).

Thanks again for all the help...Hopefully this thread can continue to help others that contract this pita virus...I saw last night it was getting about 6k daily and that figure is rising!
Founder, Amarillo Area Mopars
www.amarilloareamopars.com
Founder, Lone Star Mopars
www.lonestarmopars.com
Will set-up a regional Charger meet
Contact me for info!