Discovered: November 10, 2014
Type: Removal Information
This tool is designed to remove the infection of the Trojan.Poweliks
How to download and run the tool
- Selecting "Run as administrator" will result in an incomplete repair. You must be logged in to the Administrator account and all other users must be logged out in order for the tool to work correctly.
- There are two versions of this tool, one designed to run on 32-bit computers and one designed to run on 64-bit computers. To find out if your computer is running a 32-bit or 64-bit version of Windows, please read the following Microsoft Knowledge Base article: How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system
Note for network administrators: If you are running MS Exchange 2000 Server, we recommend that you exclude the M drive from the scan by running the tool from a command line, with the Exclude switch. For more information, read the Microsoft Knowledge Base article: Issues caused by a back up or a scan of the Exchange 2000 M drive
Follow these steps to download and run the tool:
- Download FixPoweliks64.exe for 64-bit computers and FixPoweliks32.exe for 32-bit computers.
- Save the file to a convenient location, such as your Windows desktop.
- If you are sure that you are downloading this tool from the Security Response website, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the Digital Signature section before proceeding with step 4.
- Close all the running programs.
- If you are running Windows XP, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation.
- Double-click the FixPoweliks64.exe or the FixPoweliks32.exe file to start the removal tool.
- Click I Accept to accept the EULA, then click Start to begin the process and allow the tool to run.
- When the tool has finished running, you will see a message prompting you to check the logfile for results.
The removal tool writes a summary of its operation to a logfile named FixPoweliks64.log or FixPoweliks32.log with results similar to the following:
- List of terminated processes
- List of removed registry values
If the system is clean, no restart is required and the logfile will be blank.
Note: If the Removal Tool does not display the following message after being run, please run the Removal Tool again to provide confirmation that the compromised computer has been repaired:
- Trojan.Poweliks has not been found on the system.
Note: If all running programs were not closed prior to successful removal of Trojan.Poweliks it may be necessary to relaunch relevant applications or reboot the computer to restore functionality. This is the result of injected processes being terminated.
What the removal tool does
The removal tool carries out the following actions:
- Terminates the associated processes
- Removes registry keys/values added by the threat
The following switches are designed for use by network administrators:
- /HELP, /H, /?
Displays the help message
- /SILENT, /S
Enables silent mode
If silent mode is enabled, no reboot will occur
- /LOG=[PATH NAME]
Creates a logfile where [PATH NAME] is the location in which to store the removal tool's output. By default, this switch creates the logfile in the same folder from which the removal tool was executed.
Scans the mapped network drives. (We do not recommend using this switch.*)
*Important: Using the /MAPPED switch does not ensure the complete removal of the virus on the remote computer, because:
- The scanning of mapped drives scans only the mapped folders. This may not include all of the folders on the remote computer, which can lead to missed detections.
- If a viral file is detected on the mapped drive, the repair may fail if a program on the remote computer uses that file.
- On Windows Vista and Windows 7, scanning mapped drives may fail if the user account running the removal tool is not the administrator account, even if it is a member of the Administrator group. In these cases the mapped drive will appear as disconnected after scanning with the removal tool. Please see the following Microsoft Knowledge Base article for more information: Programs may be unable to access some network locations after you turn on User Account Control in Windows Vista or newer operating systems
Therefore, you should run the removal tool on every computer.
For security purposes, the removal tool is digitally signed. Symantec recommends that you use only copies of the removal tool that have been directly downloaded from the Symantec Security Response website. If you are not sure, or are a network administrator and need to authenticate files before deployment, you should check the authenticity of the digital signature. Follow these steps:
- Go to http://www.wmsoftware.com/free.htm.
- Download and save the Chktrust.exe file to the same folder in which you saved the removal tool.
Note: Most of the following steps are done at a command prompt. If you downloaded the removal tool to the Windows desktop, it will be easier if you first move the tool to the root of the C drive. Then save the Chktrust.exe file to the root of the C drive as well. (Step 3 assumes that both the removal tool and Chktrust.exe are in the root of the C drive.)
- Click Start > Run.
- Type the following: cmd
- Click OK.
- In the command window, type the following, pressing Enter after typing each line:
chktrust -i FixTool.exe
- You should see one of the following messages, depending on your operating system:
Windows XP SP2: The Trust Validation Utility window will appear. Under Publisher, click the Symantec Corporation link. The Digital Signature Details appear.
Verify the contents of the following fields to ensure that the tool is authentic:
Name: Symantec Corporation
Signing Time: 11/20/14 5:01:05 GMT (for 64-bit) or 11/20/14 5:00:57 GMT (for 32-bit)
All other operating systems: You should see the following message: Do you want to install and run "FixTool.exe" signed on Thursday, November 20, 2014 5:01:05 GMT (for 64-bit) or Thursday, November 20, 2014 5:00:57 GMT (for 32-bit) and distributed by Symantec Corporation?
Notes: The date and time in the digital signature above are based on Pacific Time. They will be adjusted for your computer's time zone and regional options settings. If you are using Daylight Saving time, the displayed time will be exactly one hour earlier.
If this dialog box does not appear, it may be because the removal tool is not from Symantec: Unless you are sure that the removal tool is legitimate and that you downloaded it from the legitimate Symantec website, you should not run it.
- Click Yes or Run to close the dialog box.
- Type exit, and then press Enter. (This will close the MS-DOS session.)