Adlice forum

General Category => Malware removal help => Topic started by: edh4131 on October 17, 2014, 09:26:53 am

Title: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: edh4131 on October 17, 2014, 09:26:53 am
I know you recently updated RKiller for this new poweliks version. That said, good work my RKiller picks it up and deletes it. The problem is... the key instantly respawns. I can run RKiller, it will find and remove the poweliks keys, then I can instantly run it again, and the keys will have respawned. Im trying it again without restarting the pc. Maybe I just need to delete the subkeys, but I think by restarting I may have allowed it to install some additional key that I cant find. Anwyay, I am working on it, but if you have any advice that would be great. Hopefully its not a new variant already, and just an anomaly with my setup. Will post logs soon.
Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: edh4131 on October 17, 2014, 09:28:19 am
Log of a scan, will follow with a second log as soon as it finishes.

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Erik [Administrator]
Mode : Delete -- Date : 10/17/2014  02:27:26

Processes : 0

Registry : 5
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4008097565-3984676253-4284047479-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Not loaded [0xc000036b])

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 573ca27564c0a9829d70b4cf76aa3928
[BSP] ec76682bdc0f851d19cae3c98f093dc6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10172014_013445.log - RKreport_DEL_10172014_013603.log - RKreport_DEL_10172014_014952.log - RKreport_DEL_10172014_015046.log
RKreport_SCN_10172014_013259.log - RKreport_SCN_10172014_014912.log - RKreport_SCN_10172014_021205.log - RKreport_DEL_10172014_021224.log
RKreport_SCN_10172014_021742.log - RKreport_DEL_10172014_021812.log - RKreport_SCN_10172014_022446.log
Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: edh4131 on October 17, 2014, 09:31:16 am
Before the second scan finishes, I have a sneaking suspicion dllhost is replicating the reg key as soon as it is deleted. Any idea how to handle this would be good. I will try disabling networking then running the tool possibly.
Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: edh4131 on October 17, 2014, 09:49:22 am
Look at these logs, specifically timestamps.

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode
User : Erik [Administrator]
Mode : Delete -- Date : 10/17/2014  02:42:33

Processes : 0

Registry : 1
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4008097565-3984676253-4284047479-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Not loaded [0xc000035f])

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 573ca27564c0a9829d70b4cf76aa3928
[BSP] ec76682bdc0f851d19cae3c98f093dc6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10172014_013445.log - RKreport_DEL_10172014_013603.log - RKreport_DEL_10172014_014952.log - RKreport_DEL_10172014_015046.log
RKreport_DEL_10172014_021224.log - RKreport_DEL_10172014_021812.log - RKreport_DEL_10172014_022726.log - RKreport_SCN_10172014_013259.log
RKreport_SCN_10172014_014912.log - RKreport_SCN_10172014_021205.log - RKreport_SCN_10172014_021742.log - RKreport_SCN_10172014_022446.log
RKreport_SCN_10172014_024012.log - RKreport_DEL_10172014_024120.log - RKreport_SCN_10172014_024225.log

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode
User : Erik [Administrator]
Mode : Delete -- Date : 10/17/2014  02:41:20

Processes : 0

Registry : 3
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4008097565-3984676253-4284047479-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Not loaded [0xc000035f])

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 573ca27564c0a9829d70b4cf76aa3928
[BSP] ec76682bdc0f851d19cae3c98f093dc6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10172014_013445.log - RKreport_DEL_10172014_013603.log - RKreport_DEL_10172014_014952.log - RKreport_DEL_10172014_015046.log
RKreport_DEL_10172014_021224.log - RKreport_DEL_10172014_021812.log - RKreport_DEL_10172014_022726.log - RKreport_SCN_10172014_013259.log
RKreport_SCN_10172014_014912.log - RKreport_SCN_10172014_021205.log - RKreport_SCN_10172014_021742.log - RKreport_SCN_10172014_022446.log
RKreport_SCN_10172014_024012.log
Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: Tigzy on October 17, 2014, 04:07:19 pm
Do you see dllhost processes?
If yes, do the following:

- Scan with RogueKiller
- Kill all dllhost
- Do the Removal
- Reboot immediately
Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: edh4131 on October 17, 2014, 08:49:57 pm
Is there a way I can do this manually? The dllhost is not caught by rkiller by itself, it does not terminate these process. I can manually terminate 80 percent of them, but they replicate extremely fast. Some of them do not allow themselves to be removed. Also, thanks for taking the time to look at this.
Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: edh4131 on October 17, 2014, 10:08:13 pm
I figured it out myself, you were right, all dllhost must be terminated before deleting the reg key. Also, I deleted dllhost entirely and got a clean copy just to be sure.
Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: Tigzy on October 20, 2014, 11:38:34 am
dllhost is a wrapper to start DLLs, you should not remove the file.
There's a difference between file and in memory process. The file is clean, whereas process can be injected or loading malicious DLLs.
This is the case here, it's just loading malicious DLL from the registry.
Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: zootoonz on October 21, 2014, 05:14:55 pm
I may have the same problem.  I have an apparently zombified DLLHOST.EXE (shows as "blank" owner) visible in task manager (size ~40404K).  Task Manager will not allow me to kill the process.  Also, RogueKiller does  not identify this instance as problematic, though it does flag the registry item.  As you say, deleting the registry entry does not solve the problem if the process is not first killed.  Do you have any suggestions?
Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: Tigzy on October 21, 2014, 05:36:18 pm
What does process explorer say about that dllhost process?
Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: zootoonz on October 21, 2014, 05:49:55 pm
Private Bytes 40444K Working Set 61284K PID 8464  No description

Parent = <Non-existent process> (1964)

User = <access denied>


Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: zootoonz on October 22, 2014, 02:22:47 am
Update on my situation:

Booted in Safe Mode, without network support (no internet).
Opened Task Manager and killed instances of DLLHOST.EXE as they appeared.
Ran Rogue Killer, which flagged the Poweliks Registry entry.
Selected the offending entry and selected the "DELETE" option.
Reran Rogue Killer to verify that the Registry entry was no longer found.
Restarted the computer normally,

Thirty minutes later, I have no symptoms.  If that changes, I'll post again.
Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: Tigzy on October 22, 2014, 11:06:31 am
I meant are you able to kill the processes with process explorer.
Ok, so you figured it out; A single scan in normal mode will tell you if it's still infected or not.
Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: zootoonz on October 22, 2014, 01:35:12 pm
RE: Process Explorer. 

I could not kill the process with Process Explorer.  (Access Denied)

When I booted in Safe Mode, there was a popup indicating that there was a problem with PowerShell.  This was presumably Poweliks attempting its startup process.
Title: Re: ANOTHER new poweliks? This cant be right. Look into if you have the chance.
Post by: Tigzy on October 22, 2014, 03:25:13 pm
Yes, definitely. It uses powershell to load the payload.
Access denied, it's the first time I see this;