General Category > Malware removal help

ANOTHER new poweliks? This cant be right. Look into if you have the chance.

(1/3) > >>

edh4131:
I know you recently updated RKiller for this new poweliks version. That said, good work my RKiller picks it up and deletes it. The problem is... the key instantly respawns. I can run RKiller, it will find and remove the poweliks keys, then I can instantly run it again, and the keys will have respawned. Im trying it again without restarting the pc. Maybe I just need to delete the subkeys, but I think by restarting I may have allowed it to install some additional key that I cant find. Anwyay, I am working on it, but if you have any advice that would be great. Hopefully its not a new variant already, and just an anomaly with my setup. Will post logs soon.

edh4131:
Log of a scan, will follow with a second log as soon as it finishes.

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Erik [Administrator]
Mode : Delete -- Date : 10/17/2014  02:27:26

Processes : 0

Registry : 5
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4008097565-3984676253-4284047479-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Not loaded [0xc000036b])

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 573ca27564c0a9829d70b4cf76aa3928
[BSP] ec76682bdc0f851d19cae3c98f093dc6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10172014_013445.log - RKreport_DEL_10172014_013603.log - RKreport_DEL_10172014_014952.log - RKreport_DEL_10172014_015046.log
RKreport_SCN_10172014_013259.log - RKreport_SCN_10172014_014912.log - RKreport_SCN_10172014_021205.log - RKreport_DEL_10172014_021224.log
RKreport_SCN_10172014_021742.log - RKreport_DEL_10172014_021812.log - RKreport_SCN_10172014_022446.log

edh4131:
Before the second scan finishes, I have a sneaking suspicion dllhost is replicating the reg key as soon as it is deleted. Any idea how to handle this would be good. I will try disabling networking then running the tool possibly.

edh4131:
Look at these logs, specifically timestamps.

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode
User : Erik [Administrator]
Mode : Delete -- Date : 10/17/2014  02:42:33

Processes : 0

Registry : 1
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4008097565-3984676253-4284047479-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Not loaded [0xc000035f])

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 573ca27564c0a9829d70b4cf76aa3928
[BSP] ec76682bdc0f851d19cae3c98f093dc6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10172014_013445.log - RKreport_DEL_10172014_013603.log - RKreport_DEL_10172014_014952.log - RKreport_DEL_10172014_015046.log
RKreport_DEL_10172014_021224.log - RKreport_DEL_10172014_021812.log - RKreport_DEL_10172014_022726.log - RKreport_SCN_10172014_013259.log
RKreport_SCN_10172014_014912.log - RKreport_SCN_10172014_021205.log - RKreport_SCN_10172014_021742.log - RKreport_SCN_10172014_022446.log
RKreport_SCN_10172014_024012.log - RKreport_DEL_10172014_024120.log - RKreport_SCN_10172014_024225.log

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode
User : Erik [Administrator]
Mode : Delete -- Date : 10/17/2014  02:41:20

Processes : 0

Registry : 3
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4008097565-3984676253-4284047479-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Not loaded [0xc000035f])

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 573ca27564c0a9829d70b4cf76aa3928
[BSP] ec76682bdc0f851d19cae3c98f093dc6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10172014_013445.log - RKreport_DEL_10172014_013603.log - RKreport_DEL_10172014_014952.log - RKreport_DEL_10172014_015046.log
RKreport_DEL_10172014_021224.log - RKreport_DEL_10172014_021812.log - RKreport_DEL_10172014_022726.log - RKreport_SCN_10172014_013259.log
RKreport_SCN_10172014_014912.log - RKreport_SCN_10172014_021205.log - RKreport_SCN_10172014_021742.log - RKreport_SCN_10172014_022446.log
RKreport_SCN_10172014_024012.log

Tigzy:
Do you see dllhost processes?
If yes, do the following:

- Scan with RogueKiller
- Kill all dllhost
- Do the Removal
- Reboot immediately

Navigation

[0] Message Index

[#] Next page

Go to full version