Poweliks 2015, it's baaaak

[cypress]

Was it the new 1.0.0.5 (30th June 2015 release) version of the Eset Poweliks Cleaner that you tried?

Giving this tool a shot this evening. Got one last night that had a bunch of junkware and malware. Got most of it but Hitman Pro is still flagging some remnants so throwing everything I have at it. Including ORT from @OaksLabs

 

[gadgetfixup]

We've seen two this week that ESET and everything else missed. One newer tech threw the kitchen sink at this computer. He had about 25 logs of stuff he ran trying to find it. CMD and dozens of conhosts launching within 5 minutes of booting. The customer freaked because he got the Crypto wallpaper and thought it was all encrypted. Poor tech suffered 4 days trying to bust this open and the customer was getting concerned.

I took a look at it and his logs and knew he was up against something we haven't seen before. Pulled out my FRST, ran the scans, put together a fixlist and killed it. But same thing Jimbo is explaining, files without extensions, folders with hidden files, etc. Key in on new directories and files in last 30 days and you'll see the stuff to dump. FRST found the crypto lock image on 7-10-2015 so I knew what date the infection occurred. From then it was pretty easy to piece the infection together and yank it.

But to be clear, no tool today found the infection or even detected it. This newer tech had tried them all.

 

[Matthew Bradley]

Glad this thread is getting some attention. I just had one come in this morning. It's certainly Poweliks but none of the scanners can remove it.

 

[NYJimbo]

The weird thing about this virus is that if it wasn't such a resource hog we would never know its there.

 

[nlinecomputers]

So what are you using to detect this. So far is searching for new files the only way to find it?

 

[gadgetfixup]

Here is the fixlog for the one I yanked out yesterday. The story was he was on a minecraft cheat site or forum and thought he was downloading cheats. The executable changed his wallpaper to that file you see in there !Decrypt-All-Files-noqonmf.bmp which looks just like the CTB locker.

But to answer your question, yes, I look real close at new files and directories in the last 30 days which is part of the default FRST scan. Some sneaky ones will mask some file dates but typically they don't mask them all and when you find one you can usually piece the rest together or kill enough processes to break it.

 

[mr m]

I just got burned by Poweliks. The client complained that his laptop was running slowly. After running the usual tools and removing the malware I thought I was done. I rebooted thinking everything was OK.

Process Explorer showed the CPU functioning at 95-97%. I started IE and it opened slowly plus it couldn't find half the URL's I tried. Chrome was fine. No constant spawning of dllhost.exe files like the old version. I didn't know about conhost and notepad but do not recall seeing them. Double checked Proc Expl and still the CPU was at 95-97% idle.

I also couldn't download files with IE (Chrome fine) so that's when I ran ESET's Poweliks removal tool and it found and neutralized it.

Bitdefender offline, Roguekiller, the MBAX brothers and Combofix were all blind to it. I can't explain why this infection wasn't hogging system resources. Oh yeah, I almost forgot. Combofix took well over an hour to run. I've never seen that before. I originally thought it was hung at stage 5 (around 20 minutes on that single stage) but it eventually completed.

 

[NYJimbo]

A lady called me an hour ago with a slow pc complaint. I had her open task manager and had her sort processes descending CPU use and sure enough she saw signs of poweliks. So I got me another $89 for Saturday morning.

The one I had earlier today was invisible to Esets tool. The one thing I noticed was if I turned off the wifi the cpu use would drop right away and stay down for a little bit and then come back up. Not sure what its doing with notepad and I didn't sniff the network to see if it was doing any DDOS or anything.

If the lady shows up with her poweliks machine I am doing to try to do a bit more testing while its live. I want to see if its slamming the net or if its running any local ports, etc.