Adlice forum
Software feedback => RogueKiller => Topic started by: broneil on October 09, 2014, 02:52:35 PM
-
I ran the latest version of RogueKiller and found the registry entry. When I hit the "Delete" button the entry removal errors out. Please see the attached file which contains the screenshot.
-
hello
Can you verify with regedit that the key exists (or not) ?
-
Hello. I am running into the same issue this morning. I checked the registry and the key exists with quite a bit of information. Please view the attached screenshots.
Ravens
-
This seems to be the current state of this pesky infection. While RogueKiller seems to be the only tool I have found that will find Poweliks, it still doesn't remove it due to the reg key protection issue. Seems to be a lot of people asking about this. Is there a way to identify the PID that is protecting the removal of the found infection and shut down that process so the tool can do it's magic?
-
the process cannot be stopped, it's a svchost process that is useful for COM object calls.
If you stop it, you'll have to reboot.
There's no process protection, I think it's only ACLs.
Could you dump the related key into a hive format with regedit? dump at the {AB89...} key level please, and attach the file here.
Do do so, right click on the key, "export" => change type for "system hive (*.*)" and save it.
-
Ok, I do understand.
You are not in the good registry hive.
HKEY_USERS is different than HKEY_CLASS_ROOT/HKEY_LOCAL_MACHINE.
It looks like it's in both hives now, I'll take a look.
-
I found that the keys are indeed protected (they are recreated actually) by the dllhost processes.
With process explorer, do a "kill tree" on the dllhost parent process, then restore the registry key (manually, the fix isn't ready for RogueKiller).
You need to reboot right after.
-
OK attached is the Hive file - had to adjust the file type to .txt in order to upload it.
After killing the dllhost.exe and removing the registry key, how should I replace it and with what entries?
-
Can you please wait just a few minutes?
Version 10.0.1 is supposed to fix that. That can be good to have confirmation.
Several bugs fixed:
- Problem when removing a key (not found) because of the case of the subkey (LocalServer32 vs localserver32) => Fixed
- Problem of Poweliks infection restarted during COM calls => Fixed, now RogueKiller is checking integrity of COM server and disables all the calls if corrupted.
EDIT: Its compiling, should be available in the next 20 minutes.
-
It's uploading, a few minutes yet.
There's a big problem with Poweliks, it's COM calls;
I've disabled them for RK when that infection is detected, but it's used by many programs, including the OS itself.
So the infection can be restarted even after RK's processes scan. And that infection is also watching its registry key.
My advice if the infection cannot be cleaned with version 10.0.1:
- Start the scan, let RogueKiller go until the end.
- Start task manager, and kill every dllhost.exe process.
- Click on Delete button in RK to do the removal
- Reboot immediately.
-
Thank you. Seems to have done the trick, however this is what I needed to do in order to kill off this thing.
Below is my historical sequence of events to kill it:
1. Downloaded RogueKiller 10.0.1 for 64 bit
2. Ran it and it fixed the error message but didn't remove it
3. Ran it again and did the following as suggested
- Start the scan, let RogueKiller go until the end
- Start task manager, and kill every dllhost.exe process
- Click on Delete button in RK to do the removal
- Reboot immediately (actually just pushed down on the power button)
- After reboot in Normal Mode the virus appeared again
4. Downloaded RogueKiller 10.0.1 for 32 bit
5. Ran it and it fixed the error message but didn't remove it
6. Ran it again and did the following as suggested
- Start the scan, let RogueKiller go until the end
- Start task manager, and kill every dllhost.exe process (had to do this repeatedly as they reappeared however I started off with the process that was consuming the most resources)
- Click on Delete button in RK to do the removal (had to do this repeatedly as the dllhost.exe reappeared)
- Once I didn't see a dllhost.exe reappear right away I shutdown my computer immediately
- Reboot immediately and start computer in Normal Mode (not Safe Mode)
7. Has not reappeared :)
Thank you very much!!!
-
You mean you still had the error message 0x2 with new version?
-
No error appeared so 10.0.1 fixed that issue.
Now stopping the virus/malware from getting back into the registry was tricky but your suggestion about killing the processes in Task Manager and then clicking the Delete button and shutting down worked. But you need to keep an eye on Task Manager while clicking the Delete button to see if the dllhost.exe reappears before shutting down.
-
Yes, as I said COM calls can be initiated by many programs, including OS itself.
It's not easily lockable before a reboot. Maybe we could do something with the driver, but it's too dangerous.
-
if the DLLHost" process is reinstalling the malware, which is malicious regkeys, it seems like the thing to do would be to first prevent the "DLLHost" process from running.. then remove the malicious regkeys..
i am thinking that it shouldn't be too hard to prevent the "DLLHost" process from running..
-
That's not that simple:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms678543%28v=vs.85%29.aspx
Clean system:
<any process> => Ole32.dll => svchost.exe (COM server) => look in registry to get process to launch => wmiprvse.exe (handle WMI)
Infected system
<any process> => Ole32.dll => svchost.exe (COM server) => look in registry to get process to launch => dllhost.exe, loaded with malicious DLL payload => restores the registry key
In blue, this is the legit chain, which is identical.
In Green, this is the legit action, starting the WMI handler
In Red, this is the malware action, starting a malicious payload through the DLL loader (dllhost, which is rather the same as rundll32)
As you can see, dllhost is started by a completely legit chain, and it can be initiated from any process that needs WMI. Hard to block.
I'm pretty sure the value of the registry key is also cached in svchost until next reboot, this is why removing the registry isn't enough.
dllhost can be blocked from running, based on what DLL it is starting. But do so you need real time protection mechanisms ::)
-
Thank you. Seems to have done the trick, however this is what I needed to do in order to kill off this thing.
Below is my historical sequence of events to kill it:
1. Downloaded RogueKiller 10.0.1 for 64 bit
2. Ran it and it fixed the error message but didn't remove it
3. Ran it again and did the following as suggested
- Start the scan, let RogueKiller go until the end
- Start task manager, and kill every dllhost.exe process
- Click on Delete button in RK to do the removal
- Reboot immediately (actually just pushed down on the power button)
- After reboot in Normal Mode the virus appeared again
4. Downloaded RogueKiller 10.0.1 for 32 bit
5. Ran it and it fixed the error message but didn't remove it
6. Ran it again and did the following as suggested
- Start the scan, let RogueKiller go until the end
- Start task manager, and kill every dllhost.exe process (had to do this repeatedly as they reappeared however I started off with the process that was consuming the most resources)
- Click on Delete button in RK to do the removal (had to do this repeatedly as the dllhost.exe reappeared)
- Once I didn't see a dllhost.exe reappear right away I shutdown my computer immediately
- Reboot immediately and start computer in Normal Mode (not Safe Mode)
7. Has not reappeared :)
Thank you very much!!!
THANK YOU!
This worked great, and same as you, the 32bit version did the trick! It seems there is a problem with the 64 bit version as I tried this many times and it didn't work, until the 32 bit version!
-
I think this is much a problem of timing.
I tried with x64 version, that's the same problem. Infected dllhost restores the registry key.