There were at least a handful of big events in the summer of 1969, including the Apollo 11 landing. Snap! Nitrokod malware, backups, Zen 4 CPUs, Artemis 1, Gamescom wrap-up, etc.Is it still acting up? Or does it seem to be behaving now? Sounds like you got more than one bug (or more likely, you got a Trojan dropper that included more than just Poweliks).
That looks pretty similar to what the machine I dealt with had, excepting the Symantec Eraser item (that file is actually legit iirc), while Poweliks is known for hijacking legitimate Windows components via alternate data streams. S3 EraserUtilDrv11410 \?\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11410.sys S3 cleanhlp \?\C:\EEK\bin\cleanhlp64.sys S3 LMS "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe" S3 jhi_service "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe" COnsidering the files they deleted with FRST, I'd say it may have been lurking.ĪlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:262ĪlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3204ĪlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3247ĪlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3348ĪlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:96Ĭ:\Users\Evelyn\AppData\LocalLow\Adobe\Ubxhbcxitb So, the case still remains was it a drive-by, or remnants from before. So perhaps it was just hiding in what I thought was a legitimate file. I posted my case on a malware blog, and they had me delete a bunch of other files. I ran the EST tool, did all the other stuff, etc., etc. Then the next day, it started detecting it a POWERLIK or POWELIKS. I just had a feeling something was wrong. When the client called, Norton wasn't even detecting it. If that doesn't finish cleaning it up for you, you might have a newer and more clever version than I did.Īlso, I don't remember if you had stated or not, but what OS is this machine running? I used an ESET Poweliks removal tool to nip the one my client's computer had, eliminated MSConfig entries, wiped out the suspect files, and used HiJack This! and CCleaner to take out the remaining riff-raff. And yeah, you have a similar infection to what I had to deal with (maybe not identical, but very similar). In your case, it was likely lack of configuration, or flat out bad luck with timing. The problem with Symantec products is rarely that they are incapable so much as they are not configured for maximum security, or the user doesn't have the best-suited version installed. However, it doesn't check registry thoroughly or regularly unless you do a full-system scan or configure a separate job to scan registry, hence the Poweliks getting through (Most AV solutions don't have any registry tools or protection at all).
Norton (like most) doesn't scan Registry unless you have 360 (which it sounds like you do).
I ended up removing it via PBE, copying known-good copies of the drivers from another computer and replacing the compromised driver files, and wiped temps to be sure it was good before I let it back into the environment.
You may have to verify all the driver signatures are legit to find the culprits if indeed you have the a variant of the same infection. The actual malware files in my case replaced legitimate driver files with bogus fakes of seldom-used drivers.
You won't be able to eliminate it in regular mode (I ended up jumping to a PBE and blowing it away from there) as it injects and hijacks malicious code into legitimate system processes that you cannot close to be sneaky. I've dealt with a very similar piece of malware a few months ago, and it's more than a little annoying to try and clean up.
Norton won't kill Chrome because Chrome isn't malicious technically, and the infection you have is essentially just set as the homepage for the portable chrome. You have to actually blacklist Chrome via GPO or other capable solution to block Chrome from basically being able to run without properly installing (it can be run as a portable browser, which is essentially what you have going on if you have a similar infection to what I dealt with not long ago).
The malware you are getting is using Chrome, which does not have to be properly installed to access (remember, even full Chrome installations are designed to bypass standard Windows Security.