Author Topic: RogueKiller found registry entries but does not appear to remove the entries  (Read 13270 times)

0 Members and 1 Guest are viewing this topic.

October 09, 2014, 02:52:35 pm

broneil

  • Guest
I ran the latest version of RogueKiller and found the registry entry.  When I hit the "Delete" button the entry removal errors out.  Please see the attached file which contains the screenshot. 

Reply #1October 09, 2014, 02:58:22 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 924
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
hello
Can you verify with regedit that the key exists (or not) ?

Reply #2October 09, 2014, 03:54:52 pm

Ravens

  • Guest
Hello.  I am running into the same issue this morning.  I checked the registry and the key exists with quite a bit of information.  Please view the attached screenshots.

Ravens

Reply #3October 09, 2014, 05:19:45 pm

Velorider87

  • Guest
This seems to be the current state of this pesky infection. While RogueKiller seems to be the only tool I have found that will find Poweliks, it still doesn't remove it due to the reg key protection issue. Seems to be a lot of people asking about this. Is there a way to identify the PID that is protecting the removal of the found infection and shut down that process so the tool can do it's magic?

Reply #4October 10, 2014, 09:55:46 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 924
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
the process cannot be stopped, it's a svchost process that is useful for COM object calls.
If you stop it, you'll have to reboot.

There's no process protection, I think it's only ACLs.
Could you dump the related key into a hive format with regedit? dump at the {AB89...} key level please, and attach the file here.

Do do so, right click on the key, "export" => change type for "system hive (*.*)" and save it.

Reply #5October 10, 2014, 09:58:15 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 924
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Ok, I do understand.
You are not in the good registry hive.

HKEY_USERS is different than HKEY_CLASS_ROOT/HKEY_LOCAL_MACHINE.
It looks like it's in both hives now, I'll take a look.

Reply #6October 10, 2014, 10:47:06 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 924
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
I found that the keys are indeed protected (they are recreated actually) by the dllhost processes.
With process explorer, do a "kill tree" on the dllhost parent process, then restore the registry key (manually, the fix isn't ready for RogueKiller).
You need to reboot right after.

Reply #7October 10, 2014, 02:19:47 pm

Ravens

  • Guest
OK attached is the Hive file - had to adjust the file type to .txt in order to upload it.

After killing the dllhost.exe and removing the registry key, how should I replace it and with what entries?

Reply #8October 10, 2014, 02:52:13 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 924
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Can you please wait just a few minutes?
Version 10.0.1 is supposed to fix that. That can be good to have confirmation.

Several bugs fixed:
- Problem when removing a key (not found) because of the case of the subkey (LocalServer32 vs localserver32) => Fixed
- Problem of Poweliks infection restarted during COM calls => Fixed, now RogueKiller is checking integrity of COM server and disables all the calls if corrupted.

EDIT: Its compiling, should be available in the next 20 minutes.

Reply #9October 10, 2014, 03:15:42 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 924
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
It's uploading, a few minutes yet.

There's a big problem with Poweliks, it's COM calls;
I've disabled them for RK when that infection is detected, but it's used by many programs, including the OS itself.
So the infection can be restarted even after RK's processes scan. And that infection is also watching its registry key.

My advice if the infection cannot be cleaned with version 10.0.1:
- Start the scan, let RogueKiller go until the end.
- Start task manager, and kill every dllhost.exe process.
- Click on Delete button in RK to do the removal
- Reboot immediately.
« Last Edit: October 10, 2014, 08:34:35 pm by Tigzy »

Reply #10October 10, 2014, 06:22:13 pm

Ravens

  • Guest
Thank you.  Seems to have done the trick, however this is what I needed to do in order to kill off this thing.

Below is my historical sequence of events to kill it:

1. Downloaded RogueKiller 10.0.1 for 64 bit
2. Ran it and it fixed the error message but didn't remove it
3. Ran it again and did the following as suggested

- Start the scan, let RogueKiller go until the end
- Start task manager, and kill every dllhost.exe process
- Click on Delete button in RK to do the removal
- Reboot immediately (actually just pushed down on the power button)
- After reboot in Normal Mode the virus appeared again

4. Downloaded RogueKiller 10.0.1 for 32 bit
5. Ran it and it fixed the error message but didn't remove it
6. Ran it again and did the following as suggested

- Start the scan, let RogueKiller go until the end
- Start task manager, and kill every dllhost.exe process (had to do this repeatedly as they reappeared however I started off with the process that was consuming the most resources)
- Click on Delete button in RK to do the removal (had to do this repeatedly as the dllhost.exe reappeared)
- Once I didn't see a dllhost.exe reappear right away I shutdown my computer immediately
- Reboot immediately and start computer in Normal Mode (not Safe Mode)

7. Has not reappeared :)

Thank you very much!!!

Reply #11October 10, 2014, 08:36:21 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 924
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
You mean you still had the error message 0x2 with new version?

Reply #12October 10, 2014, 08:55:43 pm

Ravens

  • Guest
No error appeared so 10.0.1 fixed that issue. 

Now stopping the virus/malware from getting back into the registry was tricky but your suggestion about killing the processes in Task Manager and then clicking the Delete button and shutting down worked.  But you need to keep an eye on Task Manager while clicking the Delete button to see if the dllhost.exe reappears before shutting down.

Reply #13October 12, 2014, 11:23:45 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 924
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Yes, as I said COM calls can be initiated by many programs, including OS itself.
It's not easily lockable before a reboot. Maybe we could do something with the driver, but it's too dangerous.

Reply #14October 12, 2014, 06:13:55 pm

redwolfe_98

  • Guest
if the DLLHost" process is reinstalling the malware, which is malicious regkeys, it seems like the thing to do would be to first prevent the "DLLHost" process from running.. then remove the malicious regkeys..

i am thinking that it shouldn't be too hard to prevent the "DLLHost" process from running..