I keep getting attacked by the Powelik Trojan and a minute or so later by
the Adclicker Trojan. After the attack my computer is slows to almost to
a stop and I have to shut down and restart. I have run Norton several times
I forgot to mention that Norton is not finding any issues except for the first couple times I ran it.
Try this program, I used it a few days ago to remove a very persistent malware.
I would also suggest installing the free version of Zone Alarm firewall which would stop the virus accessing the internet.
Good luck.
The software named *Malwarebytes *is pretty good.
Yes, I forgot to mention that, it should be on every PC
Here’s an update:
I’ve installed Malwarebytes and Zone Alarm firewall but I’m still
having problems. Norton is now blocking the attack but afterword the computer
runs slower and slower until it is useless to continue. I’ll shut down and restart the
computer and sometimes when I restart scan disk will run. I don’t know if its repairing damage
due to the virus or if the virus is using scandisk to make changes
on the computer. Computer will run fine until the next attack which
can come anywhere few minutes or a couple hours after restarting.
Norton still can’t find anything and Malwarebytes only found something
the first time I ran it.
Any other suggestions? Thank you for any assistance that you can give me.
TryAdware Removal Tool, spybot, both of which are free, and then the free trial of Bullguard (personally, I like Bullguard’s ability to quarantine, and I pay for the full version).
Run several different malware/adware removers at once. This is the best way to make sure the stuff is gone for good. You won’t be able to use the computer while they are running, unless you have something like 5GB memory, but it will be worth it. I would run Spybot, Adware Removal Tool, and Bullguard, but you could do Malwarebytes instead of Spybot or Bullguard, or you could run all four. I would not run more than four; that would probably slow things down too much.
Malware/adware has a way of getting itself right back on as soon as the remover has eliminated it, and this is how running several programs at once can catch it-- think of it as one chasing it out, and the other locking the door behind them.
Also, delete your cookies-- ALL OF THEM first. Yes, you will have to login again to every site that had a stored username and password, and it will be a pain for a while, but it will help.
ETA: go to “delete programs,” and see if there is anything you don’t recognize. Delete things you know you didn’t download on purpose.
If you haven’t already, try booting up in Safe Mode, and running a scan.
Also, try doing a scan for rootkits. It sounds like you have something beyond run-of-the-mill malware.
I think the root kit killer was called “Rogue Killer”.
Also I ran across a persistent virus redirecting the IE browser. None of the items listed above would find anything malicious.
The symptom was in IE; Tools - Internet Options - Connections - LAN settings - the “use proxy server” was checked. Uncheck it, go back in, and it was checked again. (Redirected to 127.0.0.1 and some high-level port.) I couldn’t find the offending process. (Autodiscover proxy settings was greyed out)
Eventually, in Safe Mode and check “auto-discover proxy settings” stopped the repeated misdirection of proxy settings.
Systems appearing at the moment users have tried Roguekiller with No success, Adwcleaner and JRT won’t anyway and JRT will remove part of Norton
FRST is an advanced tool and even then I have had 2 systems where in the proper hands FRST could not deal to Powliks either.
Had to use a second program with FRST and script all at the same time
reply
Flag as offensive
Possible Solution
smbaxter1265’s picture
smbaxter1265
Newbie1
Reg: 29-Oct-2014
Posts: 0
Solutions: 0
Kudos: 0
Kudos0
Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7
Posted: 29-Oct-2014 | 3:40PM • Permalink
WORK AROUND:
Ok, this worked for me. Before trying this fix I recommend you turn off your internet access\wifi to slow it down.
This Trojan runs a line of javascript from the registry key. If you remove this key it will only recreate it. I have a work around, since I cannot locate the program that is recreating this. I located the key by running the latest version of Rogue Killer. It then showed me the path of the registry. I did not delete this through RogueKiller since it will only recreate itself…
The path of the offending virus registry on my computer was:
HKEY_USERS\S-1-5-21-3307227288-2313220994-4118584292-1000\Software\Classes\CLSID{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32
With this you need to move quickly on this part:
Delete\edit the two registries. (a) and (default-which will stay but show no value).
Then quickly move to this folder (parent of local32):
{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
Right Click file to change\edit permissions.
Uncheck inherit permissions box. (May be under advanced button), then remove all users except yourself, give yourself ONLY read and DELETE permissions (you can always add yourself back later). This MUST be done BEFORE the virus recreates the registry. SO be ready for this. Maybe even practice. Reboot. Log in. Go to Task Man and monitor CPUS. if goes up to 100, repeat this because you did not move fast enough in deleting and changing permissions.
-Megan
reported