Author Topic: RogueKiller found registry entries but does not appear to remove the entries  (Read 18417 times)

0 Members and 1 Guest are viewing this topic.

Reply #15October 13, 2014, 08:32:42 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
That's not that simple:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms678543%28v=vs.85%29.aspx

Clean system:
<any process> => Ole32.dll => svchost.exe (COM server) => look in registry to get process to launch =>  wmiprvse.exe (handle WMI)

Infected system
<any process> => Ole32.dll => svchost.exe (COM server) => look in registry to get process to launch =>  dllhost.exe, loaded with malicious DLL payload => restores the registry key


In blue, this is the legit chain, which is identical.
In Green, this is the legit action, starting the WMI handler
In Red, this is the malware action, starting a malicious payload through the DLL loader (dllhost, which is rather the same as rundll32)

As you can see, dllhost is started by a completely legit chain, and it can be initiated from any process that needs WMI. Hard to block.
I'm pretty sure the value of the registry key is also cached in svchost until next reboot, this is why removing the registry isn't enough.

dllhost can be blocked from running, based on what DLL it is starting. But do so you need real time protection mechanisms ::)
« Last Edit: October 13, 2014, 08:34:42 AM by Tigzy »

Reply #16October 20, 2014, 03:27:27 PM

pathosmusic

  • Guest
Thank you.  Seems to have done the trick, however this is what I needed to do in order to kill off this thing.

Below is my historical sequence of events to kill it:

1. Downloaded RogueKiller 10.0.1 for 64 bit
2. Ran it and it fixed the error message but didn't remove it
3. Ran it again and did the following as suggested

- Start the scan, let RogueKiller go until the end
- Start task manager, and kill every dllhost.exe process
- Click on Delete button in RK to do the removal
- Reboot immediately (actually just pushed down on the power button)
- After reboot in Normal Mode the virus appeared again

4. Downloaded RogueKiller 10.0.1 for 32 bit
5. Ran it and it fixed the error message but didn't remove it
6. Ran it again and did the following as suggested

- Start the scan, let RogueKiller go until the end
- Start task manager, and kill every dllhost.exe process (had to do this repeatedly as they reappeared however I started off with the process that was consuming the most resources)
- Click on Delete button in RK to do the removal (had to do this repeatedly as the dllhost.exe reappeared)
- Once I didn't see a dllhost.exe reappear right away I shutdown my computer immediately
- Reboot immediately and start computer in Normal Mode (not Safe Mode)

7. Has not reappeared :)

Thank you very much!!!

THANK YOU!
This worked great, and same as you, the 32bit version did the trick! It seems there is a problem with the 64 bit version as I tried this many times and it didn't work, until the 32 bit version!

Reply #17October 20, 2014, 05:17:15 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
I think this is much a problem of timing.
I tried with x64 version, that's the same problem. Infected dllhost restores the registry key.