Tojan.Poweliks Virus

I haven’t done much investigation on this virus, but I ran across it on a client’s machine and spent a while before I finally discovered the issue.

The symptoms I was seeing didn’t show any signs of a virus.  Malwarebytes and AVG Antivirus were not detecting anything and I wasn’t seeing anything out of the ordinary except for some Microsoft owned process that generally are not running on systems, especially business machines.

The symptoms were:

  • The machine was running very slow
  • Some processes were using excessive processor resources, but did not appear to be illegitimate and were built-in Microsoft processes.
    • Two of these processes were dllhost.exe and wiaacmgr.exe, neither of which seemed to have any reason to be starting.
  • Internet speeds for the entire site were lower than they should be and other users had been complaining about the slowness.
  • Downloading files from Internet Explorer resulted in an error that said, “Your security settings do not allow this file to be downloaded”
    • I was able to reset IE so that downloads were allowed again, but within 24 hours the problem returned.

After searching for some keywords, I finally came across this post from Eset which talked about Poweliks and included a removal tool.  I ran it (after fixing IE download settings, of course) and it immediately returned that the virus was found and offered to remove it.  The entire detection and removal process was about 30 seconds or less.  A reboot was needed afterwards to complete the removal.

After seeing this for the first time on one machine, my company started getting a flood of residential computers with the same problem.

One thought on “Tojan.Poweliks Virus

Leave a Reply to Godfrey Cancel reply