Adlice forum
General Category => Malware removal help => Topic started by: edh4131 on October 17, 2014, 09:26:53 AM
-
I know you recently updated RKiller for this new poweliks version. That said, good work my RKiller picks it up and deletes it. The problem is... the key instantly respawns. I can run RKiller, it will find and remove the poweliks keys, then I can instantly run it again, and the keys will have respawned. Im trying it again without restarting the pc. Maybe I just need to delete the subkeys, but I think by restarting I may have allowed it to install some additional key that I cant find. Anwyay, I am working on it, but if you have any advice that would be great. Hopefully its not a new variant already, and just an anomaly with my setup. Will post logs soon.
-
Log of a scan, will follow with a second log as soon as it finishes.
RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Erik [Administrator]
Mode : Delete -- Date : 10/17/2014 02:27:26
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 5 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.26 -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.26 -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26 -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26 -> Replaced ()
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4008097565-3984676253-4284047479-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 573ca27564c0a9829d70b4cf76aa3928
[BSP] ec76682bdc0f851d19cae3c98f093dc6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK
============================================
RKreport_DEL_10172014_013445.log - RKreport_DEL_10172014_013603.log - RKreport_DEL_10172014_014952.log - RKreport_DEL_10172014_015046.log
RKreport_SCN_10172014_013259.log - RKreport_SCN_10172014_014912.log - RKreport_SCN_10172014_021205.log - RKreport_DEL_10172014_021224.log
RKreport_SCN_10172014_021742.log - RKreport_DEL_10172014_021812.log - RKreport_SCN_10172014_022446.log
-
Before the second scan finishes, I have a sneaking suspicion dllhost is replicating the reg key as soon as it is deleted. Any idea how to handle this would be good. I will try disabling networking then running the tool possibly.
-
Look at these logs, specifically timestamps.
RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode
User : Erik [Administrator]
Mode : Delete -- Date : 10/17/2014 02:42:33
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 1 ¤¤¤
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4008097565-3984676253-4284047479-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 573ca27564c0a9829d70b4cf76aa3928
[BSP] ec76682bdc0f851d19cae3c98f093dc6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK
============================================
RKreport_DEL_10172014_013445.log - RKreport_DEL_10172014_013603.log - RKreport_DEL_10172014_014952.log - RKreport_DEL_10172014_015046.log
RKreport_DEL_10172014_021224.log - RKreport_DEL_10172014_021812.log - RKreport_DEL_10172014_022726.log - RKreport_SCN_10172014_013259.log
RKreport_SCN_10172014_014912.log - RKreport_SCN_10172014_021205.log - RKreport_SCN_10172014_021742.log - RKreport_SCN_10172014_022446.log
RKreport_SCN_10172014_024012.log - RKreport_DEL_10172014_024120.log - RKreport_SCN_10172014_024225.log
RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode
User : Erik [Administrator]
Mode : Delete -- Date : 10/17/2014 02:41:20
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 3 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26 -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26 -> Replaced ()
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4008097565-3984676253-4284047479-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 573ca27564c0a9829d70b4cf76aa3928
[BSP] ec76682bdc0f851d19cae3c98f093dc6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK
============================================
RKreport_DEL_10172014_013445.log - RKreport_DEL_10172014_013603.log - RKreport_DEL_10172014_014952.log - RKreport_DEL_10172014_015046.log
RKreport_DEL_10172014_021224.log - RKreport_DEL_10172014_021812.log - RKreport_DEL_10172014_022726.log - RKreport_SCN_10172014_013259.log
RKreport_SCN_10172014_014912.log - RKreport_SCN_10172014_021205.log - RKreport_SCN_10172014_021742.log - RKreport_SCN_10172014_022446.log
RKreport_SCN_10172014_024012.log
-
Do you see dllhost processes?
If yes, do the following:
- Scan with RogueKiller
- Kill all dllhost
- Do the Removal
- Reboot immediately
-
Is there a way I can do this manually? The dllhost is not caught by rkiller by itself, it does not terminate these process. I can manually terminate 80 percent of them, but they replicate extremely fast. Some of them do not allow themselves to be removed. Also, thanks for taking the time to look at this.
-
I figured it out myself, you were right, all dllhost must be terminated before deleting the reg key. Also, I deleted dllhost entirely and got a clean copy just to be sure.
-
dllhost is a wrapper to start DLLs, you should not remove the file.
There's a difference between file and in memory process. The file is clean, whereas process can be injected or loading malicious DLLs.
This is the case here, it's just loading malicious DLL from the registry.
-
I may have the same problem. I have an apparently zombified DLLHOST.EXE (shows as "blank" owner) visible in task manager (size ~40404K). Task Manager will not allow me to kill the process. Also, RogueKiller does not identify this instance as problematic, though it does flag the registry item. As you say, deleting the registry entry does not solve the problem if the process is not first killed. Do you have any suggestions?
-
What does process explorer say about that dllhost process?
-
Private Bytes 40444K Working Set 61284K PID 8464 No description
Parent = <Non-existent process> (1964)
User = <access denied>
-
Update on my situation:
Booted in Safe Mode, without network support (no internet).
Opened Task Manager and killed instances of DLLHOST.EXE as they appeared.
Ran Rogue Killer, which flagged the Poweliks Registry entry.
Selected the offending entry and selected the "DELETE" option.
Reran Rogue Killer to verify that the Registry entry was no longer found.
Restarted the computer normally,
Thirty minutes later, I have no symptoms. If that changes, I'll post again.
-
I meant are you able to kill the processes with process explorer.
Ok, so you figured it out; A single scan in normal mode will tell you if it's still infected or not.
-
RE: Process Explorer.
I could not kill the process with Process Explorer. (Access Denied)
When I booted in Safe Mode, there was a popup indicating that there was a problem with PowerShell. This was presumably Poweliks attempting its startup process.
-
Yes, definitely. It uses powershell to load the payload.
Access denied, it's the first time I see this;