Heavily Infected by svchost.exe and Poweliks.

jimbo45 · 14 Apr 2018

Hi folks

If your computer is infected don't waste your time spending hours on trying to "dis-infect it". You can't ever be sure that the program does its job 100%

Using an infected computer to cleanse / disinfect itself is like if you are a Pilot and told here's a defective plane but you have to fly it and fix it in the air !!!!!. As a licensed Private Pilot you know what my answer would be to that one !!!!

Simply restore a clean image (Macrium Free if you have it) --if you haven't then the only sensible way is a clean Windows install. You won't lose activation on any clean installs. Then always make sure you have a clean backup image --if you keep OS / Data separately image can be taken / restored even on older systems within 30 mins at most.

You are also 100% isolated against Ransomware as well -- simply disconnect computer from internet, switch off immediately, re-boot your restore program and restore clean image.

Cheers
jimbo

youngtomlin · 14 Apr 2018

I mention Poweliks because it's the only virus that comes to mind that closes Chrome. It's also located the in registry so it could be hidden. I tried the suggestion of scanning in malwarebytes offline and it detected a whole lot more. I then tried the RKILL steps and was able to run poweliks cleaner which successfuly cleaned Poweliks as well.

So I think most is gone now. I've managed to clean most things. The reason I don't reset is because of the applications I have on this pc and I don't have time to reinstall them as I use them for work.

I'll marked as solved now. Thanks to all the people that helped me. Thanks again.

simrick · 14 Apr 2018

youngtomlin said:

I mention Poweliks because it's the only virus that comes to mind that closes Chrome. It's also located the in registry so it could be hidden. I tried the suggestion of scanning in malwarebytes offline and it detected a whole lot more. I then tried the RKILL steps and was able to run poweliks cleaner which successfuly cleaned Poweliks as well.

So I think most is gone now. I've managed to clean most things. The reason I don't reset is because of the applications I have on this pc and I don't have time to reinstall them as I use them for work.

I'll marked as solved now. Thanks to all the people that helped me. Thanks again.

Hi.
Thanks for posting your steps (MBAM offline, then RKILL steps, then Poweliks cleaner). I'm sure it will help others in the future who come here with similar problems.

I would suggest running an ESET online scan for a final "all-clear", just to be sure.

Then, get some Macrium imaging in place, and run it regularly. It's much easier to recover from things this way.

Backup and Restore with Macrium Reflect Windows 10 Tutorials

Cheers!

youngtomlin · 14 Apr 2018

Hello

I will do this now and set up a backup.

Thank you.

simrick · 14 Apr 2018

youngtomlin said:

Hello

I will do this now and set up a backup.

Thank you.

Great. You're very welcome. :)

youngtomlin · 14 Apr 2018

Quick update. Eset came back all clear and Macrium backups are now in place.

:)

Access Denied · 14 Apr 2018

Good to hear! Thanks for posting back with an update.

You will thank yourself time and time again in the future with Macrium. Total life saver.

simrick · 15 Apr 2018

youngtomlin said:

Quick update. Eset came back all clear and Macrium backups are now in place.

:)

Brilliant!
If you have any issues with the operating system, let us know - could be some DISM commands will fix things.
Matter of fact, you might run sfc /scannow from an admin command prompt to make sure the OS is in good shape after that attack.
Cheers.

simrick · 15 Apr 2018

jimbo45 said:

Hi folks

If your computer is infected don't waste your time spending hours on trying to "dis-infect it". You can't ever be sure that the program does its job 100%

Hi.
I have to disagree with this statement. If it is impossible to clean specific infections (like Poweliks), then tools would not be available to clean them. Yes, there are certain infections that simply cannot be completely cleaned because they modify too many system files. In these cases, it's clearly recommended to perform a clean install. But many infections are easy to clean, and take less time that a clean install, PLUS setting up all the user's personal software and licenses.

jimbo45 said:

Simply restore a clean image (Macrium Free if you have it)

Unfortunately, there are many users who don't have imaging software/backups in place when they come here for help. Yes, it's good to recommend, but doesn't help at that point.

jimbo45 said:

You are also 100% isolated against Ransomware as well -- simply disconnect computer from internet, switch off immediately, re-boot your restore program and restore clean image.

This is only true if the backup is not connected to the system at the time of infection, or after infection. Ransomware will attack all files, including connected external drives and network shares. So it's important to mention that the backups should be offline/disconnected from the computer when not being used. It should also be mentioned that the paid version of Macrium now has Image Guard, to prevent manipulation of the backups by nefarious actors.

jimbo45 · 15 Apr 2018

Hi there

I always have 100 disconnection from Internet when taking backups and immediately store the backup device offline. My Backups on Windows are run via a read only bootable USB to load the backup / restore program.

I should have mentioned that in the post!!

I have to disagree though that using a Virus cleanser type program is quicker than re-storing a clean system -- especially when SSD's and USB 3 devices are involved -- on an SSD a typical Windows restore probably won't take more than 15 mins (if that) and you have 100% certainty your system is clean.

As for DATA backups you need to control that in any way you see fit - there's no "one size fits all" method of data backups.
However the main problem here is how to know whether any DATA files have been corrupted by any attack -- this actually is not a trivial exercise and here I'm interested to know how people check for "Data corruption" -- note I'm on about DATA here (personal files etc) rather than the OS which we've covered.

It's possible for an attack say on your DATA files which you might not know about - that's where a lot of these AV programs fail -- they might be good at protecting the OS but DATA is an increasingly valuable commodity. You can't just compare old and new files - they usually aren't in readable ASCII format.

I've found the only way that seems "semi-reliable" is any time I've changed a file is to re-open it again with whatever application -- e.g EXCEL or multi-media program for music / video and if it is OK then I send it away to a temporary file on my Linux NAS server for final update at the end of the day. Not perfect but I can't think of anything better here - so I'm open to ideas.

No we've got people more used to the idea of backing up and protecting the OS - we need now to start sorting out the best way of protecting data before it gets saved to backups / cloud servers / NAS boxes etc.

Cheers
jimbo