Some more new malware that is hitting computers today. Thankfully there is a tool that can remove this one (or at least in my case). This blog post is about the Poweliks virus. You can find more detailed information about this virus on a couple other sites. I have the links at the bottom of the article.
The G DATA SecurityLabs have analyzed persistent malware which resides in the registry only and therefore does not create any file on the infected system. An overview of this mechanism was firstly described quite recently in the KernelMode.info forum. The analyzed sample is dropped by a Microsoft Word document which exploits the vulnerability described in CVE-2012-0158. The document was reported to be found as an attachment of fake Canada Post and/or USPS email which claims to hold information about ordered items for the recipient of the spam.
I connected to a customer’s computer the other day. The laptop’s CPU usage was near 100% and had all kinds of crazy processes running. One process in particular was named inobbcrsb.exe. This process was posing as a Google Chrome process. Also fixmapi.exe and msfeedssync.exe were using up an incredible amount of processing power.
First off download Process Explorer. You can see way more information on what is exactly happening with the processes on your computer. I knew inobbcrsb.exe had to be no good! I right-clicked on the process tree and suspended the process. I checked the path where this executable was
launching from. It was launching from a really weird path underneath, C:\Users\{username}\Appdata\LocalLow\AskToolbar\bshycmeply\Hwexraefdcm . In the
Hwexraefdcm folder was the inobbcrsb.exe file. I decided to rename the executable to something different- ( inobbcrsb.exe5). You may need to use this program to rename this file if it is running on your computer.
In the Hwexraefdcm folder I found a executable, called rundll32.exe. I decided to check the properties of this executable. I found underneath the details tab the original file name was rundll.exe instead of rundll32.exe. This confirmed my suspicion that this file was bad. I renamed this file as well.
I checked process explorer and task manager. The processes had cleared up somewhat but the CPU usage was still quite high. I noticed Power Shell would randomly start up and use processor power. I also noticed msfeedssync.exe, dvdupgrd.exe, and dllhst3g.exe processes were uploading all kinds of traffic to the web.
Another suspicious file I found was stored under C:\users\{username}\AppData\LocalLow . There was a dll named juxcini.dll .
Again, I checked the original file name under details. The original file name was SDL_net.dll .
I renamed this dll as well. If you can’t rename this file because it is in use, download Unlocker and you will be able to rename the file.
After watching processes and finding files that I knew were malicious I was still grasping at straws on where exactly the virus was starting from.
I then downloaded Rogue Killer. I never used the program before, but I am sold on it now. I ran a scan and it found a couple processes that the virus was using. I cleaned the computer and rebooted. I took a look at the processes but they were still a couple eating up CPU ( most notably fixmapi.exe and msfeedssync.exe processes).
I visited adlice.com and found the solution. I ran Rogue Killer once more. Rogue Killer detected malicious processes and registry files. However, before I clicked clean computer I went to Process Explorer. In Process Explorer, I killed the dllhost.exe process tree. I then clicked clean computer. I rebooted the computer. Presto, the virus was removed!! This tool saved me lots of time. I then ran Malwarebytes to make sure everything was removed.
You will also find this on the adlice website, but my Internet Explorer wouldn’t allow me to download any files. Click on the gear icon in Internet Explorer and then Internet Options.
Next go to the Advanced tab. Click Reset Internet Explorer settings.
Once you reset the browser go to the Security tab and select Reset all zones to default level.
You will want to reset all zones to default level for Internet, Local intranet, Trusted Sites, and Restricted Sites. This virus messes with your security settings and won’t allow you to download anything.
This enabled me to initiate a download in Internet Explorer. Something is still wrong with Internet Explorer since it will start a download and then say “Download couldn’t be completed”. If anyone else runs into this problem I would be glad to hear what you did to fix it.
I monitored the computer for a while and no weird processes started up and everything was fine. Thanks so much to the adlice website and Rogue Killer tool for making my day easier.
Here is some more additional reading about this virus.
I hope this helps. Let me know by posting in the comments.
This was posted by techspeeder.