Adlice forum

General Category => Malware removal help => Topic started by: fireguy856 on October 31, 2014, 02:28:25 am

Title: another poweliks
Post by: fireguy856 on October 31, 2014, 02:28:25 am
I'm having similar issues with poweliks.
Rouge Killer is actually the first scanner that found it. (per suggestion from my son-in-law)
During initialization,
TermThr is reported "Killed" Proc.svchost 4396 svchost.exe
During scan
registry Tr.poweliks HKEY USERS is detected and deleted
However, per the suggestions in other threads, recommending likking dllhost.exe, I am only able to kill the comm surrogate processes.
The original process cannot be killed because "Access is Denied"
Some time after rebooting, multiple dllhost.exe process begin to populate task manager processes.
Used task manager and Process Explorer to kill the dllhost, neither worked.
Like other posts, also noted conhost.exe randomly changing status/running in task manager, suspect it is related.
Also appears that if disconnected from the network/internet, the dllhost.exe will not propagate, must be looking for a connection to "wake"
Any suggestions?
Title: Re: another poweliks
Post by: manty on October 31, 2014, 06:59:42 am
I can only tell you what I did maybe it can help you. I may or may not be virus free as of now but a lot has changed recently.

I first found it running malwarebytes but that only removed some parts of it. I also removed a bunch of bogus msiexec.exes after malwarebytes only removed 1 in that area I found like 10 of them in folders.

Then I dug around until I found that rogue removed it and that removed some also. I also ran avast antivirus which picked out some files in the area it was located so I believe that to be part of it also. I also ran through all the stuff in Unhackme and that caught what I believe to be the rest I hope anyway. Norton Power Eraser found something as well.

I was getting hit by tons of IPs during the process so I put up privacyfirewall and was able to block everything and then do the cleanup. I haven't seen any ips hit me other then known stuff now for about 8 hours or so. I only posted what I ran that found something I ran just about everything you could think of that didn't.
Title: Re: another poweliks
Post by: Tigzy on October 31, 2014, 08:50:43 am
Hello
Please go here and try this first: http://forum.adlice.com/index.php?topic=252
Title: Re: another poweliks
Post by: fireguy856 on October 31, 2014, 09:38:38 pm
OK, Thanks for the additional info and details!

Made a slight change to your recommended procedures.

Started in "Safe Mode with Networking"

I was then able to kill ALL dllhost.exe processes.

Per the instructions, deleted the registry entry and IMMEDIATELY rebooted.

Has been about 24 hrs, no recurrence of the dllhost.exe propagating, also subsequent scans with Rouge Killer come up CLAEN.

THANKS ALL,

Best Regards

ab

Title: Re: another poweliks
Post by: Tigzy on November 02, 2014, 11:49:42 pm
Cool, thanks for the heads up :)