Windows 10: Heavily Infected by svchost.exe and Poweliks.

Hi.
Thanks for posting your steps (MBAM offline, then RKILL steps, then Poweliks cleaner). I'm sure it will help others in the future who come here with similar problems.

I would suggest running an ESET online scan for a final "all-clear", just to be sure.

Then, get some Macrium imaging in place, and run it regularly. It's much easier to recover from things this way. *Wink
Backup and Restore with Macrium Reflect Windows 10 Tutorials

Cheers!

 

Hello

I will do this now and set up a backup.

Thank you.

 

Great. You're very welcome. *Smile

 

Quick update. Eset came back all clear and Macrium backups are now in place.

*Smile

 

Good to hear! Thanks for posting back with an update.

You will thank yourself time and time again in the future with Macrium. Total life saver.

 

Brilliant!
If you have any issues with the operating system, let us know - could be some DISM commands will fix things.
Matter of fact, you might run sfc /scannow from an admin command prompt to make sure the OS is in good shape after that attack.
Cheers. *Thumbs

 

Hi.
I have to disagree with this statement. If it is impossible to clean specific infections (like Poweliks), then tools would not be available to clean them. Yes, there are certain infections that simply cannot be completely cleaned because they modify too many system files. In these cases, it's clearly recommended to perform a clean install. But many infections are easy to clean, and take less time that a clean install, PLUS setting up all the user's personal software and licenses.

Unfortunately, there are many users who don't have imaging software/backups in place when they come here for help. Yes, it's good to recommend, but doesn't help at that point.

This is only true if the backup is not connected to the system at the time of infection, or after infection. Ransomware will attack all files, including connected external drives and network shares. So it's important to mention that the backups should be offline/disconnected from the computer when not being used. It should also be mentioned that the paid version of Macrium now has Image Guard, to prevent manipulation of the backups by nefarious actors.

 

Hi there

I always have 100 disconnection from Internet when taking backups and immediately store the backup device offline. My Backups on Windows are run via a read only bootable USB to load the backup / restore program.

I should have mentioned that in the post!!

I have to disagree though that using a Virus cleanser type program is quicker than re-storing a clean system -- especially when SSD's and USB 3 devices are involved -- on an SSD a typical Windows restore probably won't take more than 15 mins (if that) and you have 100% certainty your system is clean.

As for DATA backups you need to control that in any way you see fit - there's no "one size fits all" method of data backups.
However the main problem here is how to know whether any DATA files have been corrupted by any attack -- this actually is not a trivial exercise and here I'm interested to know how people check for "Data corruption" -- note I'm on about DATA here (personal files etc) rather than the OS which we've covered.

It's possible for an attack say on your DATA files which you might not know about - that's where a lot of these AV programs fail -- they might be good at protecting the OS but DATA is an increasingly valuable commodity. You can't just compare old and new files - they usually aren't in readable ASCII format.

I've found the only way that seems "semi-reliable" is any time I've changed a file is to re-open it again with whatever application -- e.g EXCEL or multi-media program for music / video and if it is OK then I send it away to a temporary file on my Linux NAS server for final update at the end of the day. Not perfect but I can't think of anything better here - so I'm open to ideas.

No we've got people more used to the idea of backing up and protecting the OS - we need now to start sorting out the best way of protecting data before it gets saved to backups / cloud servers / NAS boxes etc.

Cheers
jimbo