Windows 10: Heavily Infected by svchost.exe and Poweliks.

A good practice that everyone should follow.

Before deciding to clean install or to use an AV to clean one’s system, it must first be ascertained what each procedure entails. In this case, Young Tomlin has said, “The reason I don't reset is because of the applications I have on this pc and I don't have time to reinstall them as I use them for work.”

We must understand and consider the individual user’s wants and needs before deciding for him/her that a clean install is more valuable than cleaning the computer. How many apps and programs are on the computer. How long will it take to reinstall them? Once they’re reinstalled, how long will it take to set them up the way we want them? An individual’s files are a major consideration here. Even if we can recover the files from a corrupted system, will they need to be scanned before we can use them? Would it have been easier to clean the computer; thus, saving all our files?

Not every malware/virus is cleanable, but the majority of them are. If they weren't, AV companies would not exist, nor would they be releasing tools to clean specific infections.

I’d hate to be required to clean install the Fall Creators Update on my teaching Lappy. I have a lot of things on there that won’t be easily replaced; not the least of which are deeply discounted (free) apps that cannot be reinstalled.

In my considered opinion, it would be a huge disservice to tell Young Tomlin to do a clean installation at this point. With Simrick’s guidance, it wasn’t necessary; he’s back up and running.

Most AV programs come with an “individual file scanner” and/or a “multiple file scanner”.

If Young Tomlin’s files reside on his internal drive(s), they will have been successfully scanned due to his prior work to clean his computer. If files were on externals (including flash drives) …

The question must be asked, (1) “Was it attached to the computer at the time of the attack? (2) And if so, was the external still attached during Young Tomlin’s prior cleanup efforts?” These two questions and their answers will serve to guide Young Tomlin in how to proceed.

Any AV worth its salt will certainly yell bloody murder if it perceives an attack, whether it be on the OS or on Data! I believe a combination of all the above will help anyone to decide how to proceed.

Why not just individually scan the finished file with your AV? If it won’t scan individual files, get one that will.

Young Tomlin has successfully cleaned his computer, run a final check with Eset and has downloaded Macrium Reflect, installed it and backed up his computer. By following Simrick’s advice, he is a little more knowledgeable today than he was yesterday or the day before.

All’s well that ends well …

 

Hello

I recently allowed my cousin to do some work on my personal computer and when I received it back Chrome suddenly closed on the aspect of anything incriminating of a virus removal. Also, looking at task manager shows a unnamed task that is under Windows Processes, that is taking around 60% of the CPU of my computer.

It claims to be Service Host, or svchost.exe however its not located in system32 so I'm pretty sure it's a virus in disguise.

I ran multiple anti-virus programs, Malwarebytes detected over 500 threats. They were mostly cleaned, however it does not detect Poweliks. I have tried using ESETPoweliks cleaner which just closes on opening, I have also tried symantic's program which just results in Poweliks not being found.

Also, my computer cannot reboot, it crashes when it restarts, with a critcal error/BSOD, I have attached the files as well.MSI-13_04_2018_234402_70.zip

So, I am truly stumped. I don't know what else to do. If this is a different virus or anything. Also, I hope I posted this in the right place. *Smile

Thanks for any help.

:)

 

Trojan-PoweLike!bat

Eset Poweliks Cleaner.

How do I remove a Poweliks infection?

How do I remove a Fileless (Poweliks, Gootkit or Kovter) infection?

 

Windows Defender cannot remove Trojan:BAT/Poweliks.A

How to remove the Poweliks Trojan

How do I remove a Fileless (Poweliks, Gootkit or Kovter) infection?

Remove Trojan.Poweliks from your computer

How to perform a scan with Malwarebytes AntiMalware

 

Tried the AVG solution? How to Remove Win32/Poweliks in 3 Easy Steps | AVG

 

Hi.
You are correct, it is not a legit svchost.
Have you tried running some offline scans?

- Defender has an option for offline scan
- Kyhi's recovery media has Malwarebytes built-in. You can boot the system to it and scan the system drive while the infection is not active - much easier to clean that way.
- Eset bootable media "ESET SysRescue Live"
Download Tools and Utilities ESET

You could even try running these while in the operating system:

RKILL
Download RKill
ADWCleaner
Downloads - AdwCleaner - ToolsLib
(reboot)
RKILL (again)
Malwarebytes (with rootkit box checked)
Then run the Eset Poweliks removal tool

 

Hello again, thanks for the quick replies.

The AVG results didn't find anything and nor did the offline Defender scan. The other options close my Chrome so I can't check those out. During the restarting of my computer it crashed again and the logs are in the original post.

Thanks again for all your help. Brief because I don't want it to crash again.
Thanks.

 

If you can't get any of your browsers to work, (even after resetting them - including Internet Explorer), you'll need to get to a clean system to do the downloads. The offline/bootable media methods are best for clearing out this stuff.

 

Ok. I'll grab my usb now and try those out. Lets hope malwarebytes does something this time. Thanks in advance

Typing on my phone now. My computer keeps crashing but I'm guessing that's because of the virus . I'll take that to bsod support afterwards if it's still happening.

Again. Thank you for your help

 

Good luck.

 

Okay, let us know how it goes. Good luck.

 

By the time you go through all this you would be better off taking 20 minutes to install Windows 10 again.

 

tomlin,

• I agree that svchost being outside system32 warrants investigation.
• I have no idea why you mention Powerliks. [I once had one of the many Powerliks variants & Malwarebytes successfully detected it]
• If some scans fail to find anything but other scanners crash / the computer crashes / the computer cannot boot, I think that you are going to end up rescuing your personal files and then reinstalling Windows 10.

Denis

 

Hi folks

If your computer is infected don't waste your time spending hours on trying to "dis-infect it". You can't ever be sure that the program does its job 100%

Using an infected computer to cleanse / disinfect itself is like if you are a Pilot and told here's a defective plane but you have to fly it and fix it in the air !!!!!. As a licensed Private Pilot you know what my answer would be to that one !!!!

Simply restore a clean image (Macrium Free if you have it) --if you haven't then the only sensible way is a clean Windows install. You won't lose activation on any clean installs. Then always make sure you have a clean backup image --if you keep OS / Data separately image can be taken / restored even on older systems within 30 mins at most.

You are also 100% isolated against Ransomware as well -- simply disconnect computer from internet, switch off immediately, re-boot your restore program and restore clean image.

Cheers
jimbo

 

I mention Poweliks because it's the only virus that comes to mind that closes Chrome. It's also located the in registry so it could be hidden. I tried the suggestion of scanning in malwarebytes offline and it detected a whole lot more. I then tried the RKILL steps and was able to run poweliks cleaner which successfuly cleaned Poweliks as well.

So I think most is gone now. I've managed to clean most things. The reason I don't reset is because of the applications I have on this pc and I don't have time to reinstall them as I use them for work.

I'll marked as solved now. Thanks to all the people that helped me. Thanks again.