• 所有社区 - 中文
    • 所有社区 - 中文
    • 论坛
    • 创意
    • 博客
高级

不是您要找的? 咨询专家!

此论坛帖文需要解决方案。
好评0

Trojan. Poweliks and .Adclicker removal HELP, please!

Hello, my Windows 7 Home Premium SP1, desktop running the most current and recent updates of NIS, MBAM, however Task Manager is showing numerous instances of dllhost.exe*64's running. NIS gives me warnings that Trojan.Poweliks and Trojan.Adclicker have been detected, along with a couple IP's which have been blocked, but apparently I'm already infected.  I've run MWAR and NPE, but they did not fix the problem. I can kill the excess dllhost.exe*64's by unplugging the modem and killing the processes, but the eventually re-appear after a while, or after a re-boot. A dllhost.exe*32 seems to reappear with the same Process ID in the command line of the Task Manager each time. The excess dllhosts.exe's seem to be slowing down my PC and bandwidth. Is there anything I can to do to eliminate this? Is my PC and personal data at risk?  Thanks in advance.

回复

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Hi, the dllhost.exe may be used by the legitimate programs also. If you strongly belive that your system is infected, please work with a trained malware removalist at any of sites listed in following link : https://community.norton.com/forums/malware-removal-forum-recommendations
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

I have exactly this same problem.  I have over a dozen dllhost.exe*32 processes running and they're all accessing various known ad tracker web sites, only a few of which are detected by Norton 360.  I've tried NPE, Malwarebytes, Avast!, SpyHunter, and others, but so far nothing has found the actual malware.  As with test500man's case, unplugging my computer from the network eventually causes them all to die, but they eventually come back if I reconnect.

I can't tell if it's dllhost.exe itself that's infected or if there's some dll that uses dllhost.exe as its conduit.  I've tried analyzing the malware processes through various tools but I've found no information to tell me what bad dll is invoking dllhost.exe, or if dllhost.exe itself is the culprit.

Short of reinstalling Windows 7, does anyone have any suggestions for dealing with this?

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

At the moment I have like 30 active threads on my board for systems to be cleaned, reminds me of the Zeroaccess explosion

We are slowly step by step cleaning systems  so that Powelinks and any other malware is gone

Quads 

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Yup. Thats right Quads. I see a lot of flooding of this types on malware removal forums ( including yours ). Can you point out whats the root cause for this? Like, driveby downloads, toolbars etc.
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

WARNING: Norton Internet Security does not detect or block installation or remove the Poweliks Trojan from your system. It only notices when your system tries to connect to the foreign machines.

I noted the same problem at the start of this thread today on two machines in my office. Both are running almost new installs of Windows 7. Less than 30 days old. Both are very "clean" machines - no downloads, no random browsing, pure work machines.

Both are running Norton Internet Security.

Both started displaying the following Security Warning:

An intrusion attempt by f0fff0.com was blocked.
IPS Alert Name     System Infected: Trojan.Powelik Activity
Default Action        No Action Required
Action Taken         No Action Required

"The attack was resulted from \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DLLHOST.EXE"

Shortly after, another warning came up

IPS Alert Name     System Infected: Trojan.AdClicker Activity

Same source info.

Shortly after that, a warning popped up for HIGH Usage: COM Surrogate

In the task manager, multiple instances of DLLHost  with description COM Surrogate were running, each with very high usage.

I ran a full system scan on each, which revealed no warnings or virus activity.

I ran Norton Power Eraser, again, no results.

Since this clearly wasn't isolated to one machine, I connected via a support session with Norton.

This is where the response becomes troubling and absurd.

I explained the messages and the situation and the tech insisted my machine was not infected. That it was blocking an attempt by an outside machine to connect with mine. I disagreed.

I allowed the tech access to my machine - this is the exchange that followed - note the insistence that my machine is/was *NOT* infected:


3:24 PM NORTON TECH: As I have checked, Norton has blocked the access of the applications that are unsafe for yoru system. There is no issue with that.

3:24 PM NORTON TECH: *your

3:25 PM ME: okay, the notices said "system infected", both machines are reporting the same thing plus all the instances of "Com Surrogate" running under the DLL host process. In the Norton forums it reports this as part of a malware/trojan infection that Norton does not detect on the system, but detects the signatures when the process tries to connect to the outside machine

3:26 PM NORTON TECH: Could you please show me that messages?

3:26 PM ME: "SYSTEM INFECTED: Trojan Adclicker

3:27 PM ME: System infected trojan.powelik

3:28 PM NORTON TECH: Yes, it was the name of the alert.

3:28 PM ME: so the alert is named "System Infected" but the system is not infected?

3:28 PM NORTON TECH: As you can see, it is blocked by Norton.        ((( Totally non-responsive answer )))
3:28 PM NORTON TECH: Yes, your system is totally safe.

3:29 PM ME: how about all the "Com Surrogate" instances that seem to be related to this issue

3:29 PM NORTON TECH: I will run Norton Power raser to ensure this.

3:29 PM ME: I have already run norton power eraser on both systems, it detects nothing.

3:30 PM ME: the systems are behind a firewall, so the connection attempts to those IPs say "Resulted from Dllhost.exe" that seems to imply an internal source on the machine, trying to connect to the external IP address

3:30 PM ME: is that not correct?

3:31 PM NORTON TECH: I will check this.

3:31 PM ME: thank you

3:31 PM NORTON TECH: Please allow me a few minutes.

3:32 PM ME: okay thanks

3:40 PM NORTON TECH: You might have downloaded any freewares on your pc that is why your dll file has been corrupted. When you allow it run on your pc that gives permission to edit dll files and that is why it is giving you messages.

3:41 PM ME: no freeware has been downloaded to this machine prior to the infection showing. This is my secondary machine. My primary is also infected/altered however you want to put it. That machine has zero downloaded software.

3:41 PM ME: I've never had a virus on a computer prior to this, and its effecting two machines with the same issues - com surrogate, etc

3:41 PM NORTON TECH: You need to run Microsoft malicious software removal tool to as dllhost file is related to Microsoft and othet scanner my cause to damage dll file.

3:42 PM ME: okay, I can do that. Are you saying in fact the DLL is infected, and if so, how is it getting past Norton to begin with?

3:43 PM NORTON TECH: I think it is damaged that is why it is trying to connect other sources to repair.

3:43 PM ME: okay, but again, how is it damaged on two machines, both reporting a virus / infected machine via Norton, but it won't detect the actual virus?

3:43 PM ME: and there is the Norton warning popping up as we speak

3:44 PM NORTON TECH: There are thousands of threats created everyday and some malware is designed specifically to disable Norton's anti-virus software. Trojans and worms can be very difficult to fix because they contain no clean code which Norton can repair automatically; instead, they have to be manually removed.

3:44 PM ME: those other sources are in Europe. I don't think it is connecting for repair lol

3:44 PM NORTON TECH: There are thousands of threats created everyday and some malware is designed specifically to disable Norton's anti-virus software. Trojans and worms can be very difficult to fix because they contain no clean code which Norton can repair automatically; instead, they have to be manually removed.

3:44 PM ME: okay, so I am 100% clear - Norton didn't block this and can't fix it.

3:45 PM ME: I mean, it blocks the outgoing connection attempts, but didn't stop the infection.

3:45 PM NORTON TECH: This may be damaged or infected but Norton is blocking the connection so that means you are safe.

3:46 PM ME: its not blocking all the com surrogate instances, so I don't really feel safe. I guess we have a different definition of safe. What worries me most is how the machines became infected while I was running Norton. Based on what Im seeing in the forum, this is a high risk threat and it's rampant

3:47 PM ME: are there any notes on this or any info what my be being done to fight it/remove it?

So, the point of all this being, this is a serious issue. It is infecting machines and Norton does not seem to have an answer as to how, or even the ability to detect that the machine is infected.

It required another piece of software - "ComboFix" to run and detect this:

CLSID={AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} - infected with Poweliks and removed.

I do not recommend using this program, as it is apparently extremely aggressive and may effect other processes. I ran it on the newest machine with the least risk of losing any application data just to see if the Poweliks infection was detected.

The only two options I have found suggest either reformatting the primary drive and reinstalling the operating system and all software or taking the aggressive approach of using a scanner like ComboFix. At this time, since there seems to be no information offered on how the initial infection is occurring past the Norton Internet Security program and firewall, it seems as though there is some system flaw being exploited that needs to be addressed else reinfection will just re-occur.

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Quads, is there any indication whatsoever on how these Trojans are infecting the machines?

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

I have the exact issue listed above. My router logs show attacks, I get the Norton pop ups, I ran power eraser... nothing. I released IP on WAN side, using third new IP.. still see pop ups. Have no idea how to stop this, my ISP is Comcast, I see them listed a lot on the the Internet when I google this problem.

Anyone have an idea how to get rid of this? 

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Just ran "Microsoft Windows Malicious Software Removal Tool - OCT 2014"... nothing

still see 4 instances of the dllhost.exe *32 from C:\Windows\SysWOW64 running with the highest memory usage as well.

Odd, I have used Norton religiously for myself and customers for years and never had issues, the only thing I am doing different since I moved here is bridge the modem from Comcast while using my own router with NAT. In the past never worried bout the potential redundant NAT issues you see about which lead to them putting my modem in bridge mode..... maybe redundant NAT wasn't so bad after all. haha

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Hi,

I do not know the exact damage that is caused by those 2 trojans, but I would insert a system image recovery cd, like SSR 13 or other, boot from this then restore a previously made full system image from an external HDD.

Regards,

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

...wish I had ghosted this drive on an external one, didn't happen

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

I ran the Windows Malicious Software Removal Tool as well - it found nothing. The only program that located the Trojan was the ComboFix program.

Reading about this particular Trojan, it's identified as being "Fileless". It runs initially from the registry, through an encrypted bit of JavaScript. Then does some insidious stuff with powershell.

What I haven't seen is what exactly the COM Surrogate instances do.

I did not see any side effects ( yet ) after running ComboFix. But it comes with multiple warnings about being used with instructions from an expert, etc. If you have nothing else to lose...look for one of the threads on malwaretips.com for details and instructions on download and use.

I'm troubled that my paid system security solution is trumped by a free system scanner and cleaner.

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

More followup:

With Norton Internet Security running, and despite the Norton tech advising me my system is "protected" and that the warning popups indicate attacks are being blocked, I've been running Netstat -b in administrative mode and waiting for another occurrence.

These are the netstat results as a slew of COM Surrogate processes launched. This is just a small segment before shutting down the connection on that machine.

The browser was closed at the time, yet many times the ownership info said iexplore.exe, then system, the finally "can not obtain ownership information".

Clearly, the system is *NOT PROTECTED* as this shows literally hundreds of established connections and they just kept streaming in the command window and Norton Internet Security, after one popup claiming a threat had been blocked, apparently went to sleep while this slew of connections was established:

  TCP    192.168.1.7:58616      199.233.57.10:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58617      199.233.57.10:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58618      184:http               ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58619      184:http               CLOSE_WAIT
 Can not obtain ownership information
  TCP    192.168.1.7:58620      ec2-54-165-243-57:http  CLOSE_WAIT
 Can not obtain ownership information
  TCP    192.168.1.7:58621      ec2-54-165-243-57:http  CLOSE_WAIT
 Can not obtain ownership information
  TCP    192.168.1.7:58622      ec2-107-22-166-212:http  ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58623      ec2-107-22-166-212:http  ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58626      208.146.36.21:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58627      208.146.36.21:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58630      ec2-54-84-145-193:http  ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58631      ec2-54-84-145-193:http  ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58634      216.151.217.10:http    CLOSE_WAIT
 Can not obtain ownership information
  TCP    192.168.1.7:58635      216.151.217.10:http    CLOSE_WAIT
 Can not obtain ownership information
  TCP    192.168.1.7:58636      ec2-54-225-80-102:http  ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58637      ec2-54-225-80-102:http  ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58640      198.8.70.115:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58641      198.8.70.115:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58642      ec2-23-23-168-175:http  ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58643      ec2-23-23-168-175:http  ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58645      198:http               ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58647      184.164.143.90:http    ESTABLISHED
 [iexplore.exe]
  TCP    192.168.1.7:58648      184.164.143.90:http    ESTABLISHED
 [System]
  TCP    192.168.1.7:58652      ec2-23-23-72-118:http  ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58653      ec2-23-23-72-118:http  ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58654      63.135.172.251:http    ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58655      63.135.172.251:http    ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58659      93.190.67.157:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58660      93.190.67.157:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58663      ec2-107-22-193-87:http  CLOSE_WAIT
 Can not obtain ownership information
  TCP    192.168.1.7:58664      ec2-107-22-193-87:http  CLOSE_WAIT
 Can not obtain ownership information
  TCP    192.168.1.7:58675      195.2.240.79:http      SYN_SENT
 [dllhost.exe]
  TCP    192.168.1.7:58679      8.30.11.13:http        ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58680      199.233.57.10:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58681      199.233.57.10:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58682      66.45.56.124:http      CLOSE_WAIT
 [System]
  TCP    192.168.1.7:58688      69.172.216.58:http     ESTABLISHED
 [System]
  TCP    192.168.1.7:58695      yk-in-f102:http        ESTABLISHED
 [System]
  TCP    192.168.1.7:58701      a23-218-80-133:http    ESTABLISHED
 [System]
  TCP    192.168.1.7:58703      a23-218-80-133:http    ESTABLISHED
 [System]
  TCP    192.168.1.7:58705      a23-218-80-133:http    ESTABLISHED
 [System]
  TCP    192.168.1.7:58708      a23-62-6-97:http       ESTABLISHED
 [System]
  TCP    192.168.1.7:58714      float:http             ESTABLISHED
 [System]
  TCP    192.168.1.7:58720      rtas-21:http           TIME_WAIT
  TCP    192.168.1.7:58721      rtas-21:http           ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58722      rtas-21:http           TIME_WAIT
  TCP    192.168.1.7:58723      rtas-21:http           ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58724      rtas-21:http           ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:58725      rtas-21:http           TIME_WAIT
  TCP    192.168.1.7:58732      float:http             ESTABLISHED
 [System]
  TCP    192.168.1.7:58733      64.49.225.166:http     ESTABLISHED
 [System]
  TCP    192.168.1.7:58735      liverail:http          TIME_WAIT
  TCP    192.168.1.7:58739      104.20.22.8:http       ESTABLISHED
 [System]
  TCP    192.168.1.7:58741      a23-62-6-96:http       ESTABLISHED
 [System]
  TCP    192.168.1.7:58743      ip-184-168-72-35:http  LAST_ACK
 [System]
  TCP    192.168.1.7:58744      ip-184-168-72-35:http  LAST_ACK
 [System]
  TCP    192.168.1.7:58745      ip-184-168-72-35:http  ESTABLISHED
 [System]
  TCP    192.168.1.7:58746      ip-184-168-72-35:http  ESTABLISHED
 [System]
  TCP    192.168.1.7:58747      23.235.39.166:http     ESTABLISHED
 [System]
  TCP    192.168.1.7:60886      166.98.7.22:http       ESTABLISHED
 [NIS.exe]
  TCP    192.168.1.7:60941      195.2.240.80:http      CLOSE_WAIT
 Can not obtain ownership information
  TCP    192.168.1.7:60942      195.2.240.80:http      CLOSE_WAIT
 Can not obtain ownership information
  TCP    192.168.1.7:60946      88.214.193.212:http    CLOSE_WAIT
 Can not obtain ownership information
  TCP    192.168.1.7:60952      31.184.192.90:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60953      31.184.192.90:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60954      166.98.7.15:http       ESTABLISHED
 [NIS.exe]
  TCP    192.168.1.7:60955      88.214.193.212:http    ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60957      95.215.1.57:http       ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60959      184.164.143.90:http    CLOSE_WAIT
 Can not obtain ownership information
  TCP    192.168.1.7:60960      184.164.143.90:http    CLOSE_WAIT
 Can not obtain ownership information
  TCP    192.168.1.7:60961      64.71.187.120:https    ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60962      64.71.187.120:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60963      72.52.66.114:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60964      72.52.66.114:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60965      64.71.187.126:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60966      64.71.187.126:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60967      72.52.66.114:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60968      72.52.66.114:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60969      72.52.66.114:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60970      72.52.66.114:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60971      72.52.66.114:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60972      64.71.187.126:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60973      64.71.187.126:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60974      72.52.66.114:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60975      72.52.66.114:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60976      72.52.66.114:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60977      72.52.66.114:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60978      72.52.66.114:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60979      108.161.188.209:http   CLOSE_WAIT
 Can not obtain ownership information
  TCP    192.168.1.7:60980      64.71.187.126:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60981      yk-in-f102:http        ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60982      atl14s08-in-f30:https  ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60983      64.71.187.126:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60984      64.71.187.126:http     ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60985      108-61-42-10:http      ESTABLISHED
 Can not obtain ownership information
  TCP    192.168.1.7:60986      66.155.21.187:http     TIME_WAIT
  TCP    192.168.1.7:60987      64.71.187.126:http     ESTABLISHED
 Can not obtain ownership information

and so on.

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Also try this if the above cannot solve the problem.

http://www.eset.com/int/download/utilities/detail/family/252/

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Nothing is happening here, went elsewhere and getting help. Man I cant believe 10 hours of my time so far clearing this up because Norton doesn't recognize the issue, it didn't stop it at all, sure it blocks it, but it didn't catch it to begin with. btw Thank you for that Symantec, I just woke up from 3 hr sleep, back at it so I can get this fixed.

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Just adding a "me too" to this thread.  My Windows Vista (always updated) destop has been infected with this virus on about October 16.  I am about to try to get it fixed after real life made it impossible for me to sit for hours with a sick computer when I have a sick parent in the hospital to take care of.

Wondering about a couple of things:

  • This happened a few days after downloading MS Patch Tuesday updates on October 15. (I hold off installing until I see if people are having problems with the updates so I hadn't installed them yet.)
  • Could it be a router vulnerability?  When I disconnect the pc from online, I don't get the Norton notices about these two trojans. When I get back online, my computer seems to get taken over by COM Surrogate or MS Search Indexer and freezes and my mouse doesn't work right and I have to shut down.

Still a bleeping mess for me to clean up.  I'll have to try to backup everything first.

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

I am the original poster of this thread. ComboFix seems to have fixed this problem for me whereas no other programs could even identify that there is an obvious infection.

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

No as we have users where Combofix won't and  now one user appears to have damage afterwards.

There is a reason why there are warnings for Combofix and some other tools  Not to use it unless under supervision.

I don't know where I will be able to fix the problem after Combofix now on this users system

Quads

好评1 Stats

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

I ask the OP and others who have trouble with this malware / issue to take a few minutes to visit ( not signup ) some forums at https://community.norton.com/forums/malware-removal-forum-recommendations and see whats going on there. If you go through a few random threads listed, you may see how unsupervised use of combo fix has just SCREWED the task of MR rather than cleaning the mess.
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

I've never had a virus like this since I've owned this computer. Neither Norton nor Malwarebytes caught this. I scanned in SafeMode but didn't use Power Eraser but other posts suggest that is useless.  I'll be taking the problem to one of the recommended forums.  I'm just a home computer user so not a techie and worried about the removal process and loosing my personal stuff.  I'm going to try to back things up first if I can.

好评5 Stats

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

I am not going to mark this as solved, but this worked for me...  If someone else has success, with this process, please mark as solved.  There are many of posts about this and a solution would help a lot of folks.

Yesterday, my wife's computer started spawning multiple processes of "dllhost.exe - COM Surrogate" and Norton kept blocking both Trojan.AdClicker and Trojan.Powelik.  First I tried running a Norton scan which basically froze the computer.  Then I tried the Norton Power Eraser which found nothing...  The process that worked for me is documented here:  http://www.adlice.com/poweliks-removal-with-roguekiller/ 

  • 1- Do a scan with RogueKiller. Do not close the window.
  • 2- Kill all dllhost.exe processes (for example with Process Explorer, kill tree
  • 3- Do the removal with RogueKiller
  • 4- Reboot immediately

I downloaded the 64 bit RogueKiller (I'm running 64 bit Win7)  from the Adlice web site (to ensure the latest version).  You also need the Process Explorer which can be found here: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

When following the process, you need to right click Process Explorer (procexp.exe) and "run as administrator".  You need to delete all instances of dllhost.exe.  The top level process won't go away without administrator privileges.  I found that out the hard way.  Needed to do it multiple times before it dawned on me that the highest level process was staying behind.  Note that when scanning with RogueKiller, you do two scans, a pre-scan and a scan (using the same scan button). Offending items highlighted in red ( on the various tabs of RogueKiller) will be deleted when you push the delete button. Reboot and you should be good.

I also downloaded Malwarebytes and ran it as well.  It found about 100 entries that Norton ignored.  I don't know if they contributed to the Trojan problems but there were several PUPs that are now gone.  I'm going to run both virus programs for a while.  Not ideal, but that's okay.

I'll monitor the board if you have questions... Hope this helps someone.

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Hopefully Norton doesn't censor posts linking to competiting AV products, but you might want to give Kaspersky's Rescue 10 live CD a try. It's no longer supported by Kaspersky, but they do update the definitions. You can get the ISO here: http: //rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso I ran it and it found one infection on the root drive I believe was responsible on the infected PC. It takes quite a long time to complete, so pack your patience (as if you haven't already). Once I completed, disinfected and restarted I am no longer seeing the dozens of dllhost.exe files that I was before. The system is much more responsive and the CPU fan isn't spinning up like crazy as it was before. For good measure, I ran the ESET Poweliks Cleaner that breathejustie so kindly linked to, which did hit on the infection and claims to have removed it. I'm continuing to monitor the system and run some supplemental scans, but so far, so good.

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

I'm falling down the same rabbit hole. Thanx for your documentation. I have current Norton AV running with current definitions and I am very careful about what I download and even look at online, but I got Poweliks and Adclicker virus. I ran Power Eraser and Full System Scan and still have Powelinks and Adclicker. The system grinds to a near halt with a lot of disk access and processes running. I will try some of the suggestions tomorrow. I have already spent many hours trying to resolve this and it's becoming a point of pride to try to disinfect my computer and not let the Virus win!
好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Hi, rlajeunesse. Stick to the recommended forums. Pick one and stay with them, until your system is fixed.

Do not try to fix it yourself.

https://community.norton.com/forums/malware-removal-forum-recommendations

Windows 10 Home X 64 Norton Security Premium Current
好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Scotthoot, your suggestion worked great for the Trojan.powelik on my computer. Thank you. Several comments for other users.

1. The links for downloading RogueKiller weren't so obvious to me on the AdLice.com website. You will find them near the top of one page as text links without pics: One for 32 and another for 64 bit machines.

2. A process editor on my machine: press ctrl alt del, select task manager, select process tab.

3. Make sure to terminate all DLLhost.exe instances and then press the delete at the end of the scan (in AdLice). If one of DLLhost processes remains, it can spawn the infection in the key again.

4. Apparently, the Trojan.powelik has been changed in late October 2014 and requires the updated AdLice RogueKiller.

5. RogueKiller is free but it's good to express appreciation through a small donation.

Mike

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Mike, glad the process worked for you.  I'm going to mark this as solved.  Agree with your point 5.  Nice to donate to the folks who wrote RogueKiller.  To your points 2&3, I used Process Explorer to delete entire process tree.  As long as you delete all instances of dllhost.exe, the process should work.

Original post here: https://community.norton.com/comment/6009491#comment-6009491

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

A comment can be marked accepted as answer only by the OP. Do you think your system is clean just by killing powliks? Who knows if it had invited its friends to pay a visit to you.
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

I'm a new member, could you post a link to the rules?  If I violated a rule, please accept my apologies.

As a side note, I've never been on a board where people are trying to push me somewhere else.  Why is that?  Why not use this forum and maintain continuity of the thread?

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Scotthoot:

I wish to thank you, I was fighting the Trojan, Poweliks and Adclicker for about a week.  I tried your method using Roguekiller and Process Explorer,  it worked great and my system is back to normal.    Yes, I did the same as you and tried it without right clicking on Process Explorer and it did not work.    Again, thank you so much.

Red

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

Scotthoot;

Your method worked great for me.  My system is back to normal after being down for  a week.

Again, Thank you so much.

Red

好评0

Re: Trojan. Poweliks and .Adclicker removal HELP, please!

This is for Scotthoot>    Your method also worked for me.  I placed both of the tools on the desktop and adjusted their size to fit side by side.  Followed your instructions and was done in the matter of minuets.  After the reboot I also did another scan with RogueKiller and another one with Malwarebytes looking for any other malware.

In reality I was at the point of considering the purchase of a new machine but you saved me the money.   I spoke with Norton three times and they were lost with no idea of what to do.  They reloaded their Norton suite but that is a waste of time.  Also found out this has been around a long time and was found by G Data Researchers in Germany last year.  Done lots of reading and found out where this thing lives in the computer and what it does and some of how it works.  Now I know why it's hard to get rid of.

But anyway, hats off to you.

This thread is closed from further comment. Please visit the forum to start a new thread.