[KB3587] How do I remove a Fileless (Poweliks, Gootkit or Kovter) infection?

Issue

  • Your ESET product detects the threat Reg/Fileless (Win32/Poweliks.A  Win32/Gootkit, Win32/Kovter)
     
  • You are trying to browse the Internet and the pages are being blocked
     
  • Multiple Dllhost processes are running on your system
     
  • Poweliks is also referred to as "powerliks" or "Powessere"
     
  • Gootkit is also referred to ask "XSW" or "XSWKit"
     
  • When attempting to download files using Microsoft Internet Explorer, you receive the message "Your current security settings do not allow this file to be downloaded"

Details

Win32/Poweliks.A is a trojan which tries to download other malware from the Internet, and can be controlled remotely.

Solution

Video Tutorial

I. Re-enable downloads in Internet Explorer

  1. Close all Internet Explorer windows.
     
  2. Press the Windows key R.
     
  3. Type inetcpl.cpl into the Open field and click OK. This will open Internet Properties (otherwise known as Internet Options).

    Figure 1-1

  4. Click the Security tab → Reset all zones to default level.

    Figure 1-2

  5. When you are finished, click OK to save your changes.

II. Run the Poweliks Cleaner tool

  1. Right-click the link below, select Save target as (or Save link as in Mozilla Firefox) from the context menu and then select your Desktop as the save destination.

    Download ESET Poweliks Cleaner
     
  2. When the download is complete, navigate to your Desktop, double-click ESETPoweliksCleaner.exe.
     
  3. Read the terms of the End-user license agreement and click Agree if you agree to them.
     
  4. The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.

Figure 2-1

  1. If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool.

Figure 2-2

  1. After removing an infection we highly recommend that you restart your computer. The infection should now be removed and you should be able to access the web content that was being blocked.

III. Upgrade to the latest version of your ESET product

More recent versions of ESET products include updated modules that help protect against Poweliks infections. It is important that you are running the latest version to ensure maximum protection against this threat.

  1. Check to see which version you are running.
     
  2. Upgrade to the latest version of your ESET product if necessary.

Need Assistance in North America?

If you are a North American ESET customer and need assistance, view product documentation or visit helpus.eset.com to chat with a live technician.

Daugiau informacijos