Author Topic: ANOTHER new poweliks? This cant be right. Look into if you have the chance.  (Read 15158 times)

0 Members and 1 Guest are viewing this topic.

October 17, 2014, 09:26:53 AM

edh4131

  • Guest
I know you recently updated RKiller for this new poweliks version. That said, good work my RKiller picks it up and deletes it. The problem is... the key instantly respawns. I can run RKiller, it will find and remove the poweliks keys, then I can instantly run it again, and the keys will have respawned. Im trying it again without restarting the pc. Maybe I just need to delete the subkeys, but I think by restarting I may have allowed it to install some additional key that I cant find. Anwyay, I am working on it, but if you have any advice that would be great. Hopefully its not a new variant already, and just an anomaly with my setup. Will post logs soon.

Reply #1October 17, 2014, 09:28:19 AM

edh4131

  • Guest
Log of a scan, will follow with a second log as soon as it finishes.

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Erik [Administrator]
Mode : Delete -- Date : 10/17/2014  02:27:26

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 5 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4008097565-3984676253-4284047479-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 573ca27564c0a9829d70b4cf76aa3928
[BSP] ec76682bdc0f851d19cae3c98f093dc6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10172014_013445.log - RKreport_DEL_10172014_013603.log - RKreport_DEL_10172014_014952.log - RKreport_DEL_10172014_015046.log
RKreport_SCN_10172014_013259.log - RKreport_SCN_10172014_014912.log - RKreport_SCN_10172014_021205.log - RKreport_DEL_10172014_021224.log
RKreport_SCN_10172014_021742.log - RKreport_DEL_10172014_021812.log - RKreport_SCN_10172014_022446.log

Reply #2October 17, 2014, 09:31:16 AM

edh4131

  • Guest
Before the second scan finishes, I have a sneaking suspicion dllhost is replicating the reg key as soon as it is deleted. Any idea how to handle this would be good. I will try disabling networking then running the tool possibly.

Reply #3October 17, 2014, 09:49:22 AM

edh4131

  • Guest
Look at these logs, specifically timestamps.

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode
User : Erik [Administrator]
Mode : Delete -- Date : 10/17/2014  02:42:33

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 1 ¤¤¤
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4008097565-3984676253-4284047479-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 573ca27564c0a9829d70b4cf76aa3928
[BSP] ec76682bdc0f851d19cae3c98f093dc6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10172014_013445.log - RKreport_DEL_10172014_013603.log - RKreport_DEL_10172014_014952.log - RKreport_DEL_10172014_015046.log
RKreport_DEL_10172014_021224.log - RKreport_DEL_10172014_021812.log - RKreport_DEL_10172014_022726.log - RKreport_SCN_10172014_013259.log
RKreport_SCN_10172014_014912.log - RKreport_SCN_10172014_021205.log - RKreport_SCN_10172014_021742.log - RKreport_SCN_10172014_022446.log
RKreport_SCN_10172014_024012.log - RKreport_DEL_10172014_024120.log - RKreport_SCN_10172014_024225.log

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode
User : Erik [Administrator]
Mode : Delete -- Date : 10/17/2014  02:41:20

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 3 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B767E478-EFF6-48E7-8E63-28EE10240EE3} | DhcpNameServer : 192.168.0.1 205.171.2.26  -> Replaced ()
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4008097565-3984676253-4284047479-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 573ca27564c0a9829d70b4cf76aa3928
[BSP] ec76682bdc0f851d19cae3c98f093dc6 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10172014_013445.log - RKreport_DEL_10172014_013603.log - RKreport_DEL_10172014_014952.log - RKreport_DEL_10172014_015046.log
RKreport_DEL_10172014_021224.log - RKreport_DEL_10172014_021812.log - RKreport_DEL_10172014_022726.log - RKreport_SCN_10172014_013259.log
RKreport_SCN_10172014_014912.log - RKreport_SCN_10172014_021205.log - RKreport_SCN_10172014_021742.log - RKreport_SCN_10172014_022446.log
RKreport_SCN_10172014_024012.log

Reply #4October 17, 2014, 04:07:19 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Do you see dllhost processes?
If yes, do the following:

- Scan with RogueKiller
- Kill all dllhost
- Do the Removal
- Reboot immediately

Reply #5October 17, 2014, 08:49:57 PM

edh4131

  • Guest
Is there a way I can do this manually? The dllhost is not caught by rkiller by itself, it does not terminate these process. I can manually terminate 80 percent of them, but they replicate extremely fast. Some of them do not allow themselves to be removed. Also, thanks for taking the time to look at this.

Reply #6October 17, 2014, 10:08:13 PM

edh4131

  • Guest
I figured it out myself, you were right, all dllhost must be terminated before deleting the reg key. Also, I deleted dllhost entirely and got a clean copy just to be sure.

Reply #7October 20, 2014, 11:38:34 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
dllhost is a wrapper to start DLLs, you should not remove the file.
There's a difference between file and in memory process. The file is clean, whereas process can be injected or loading malicious DLLs.
This is the case here, it's just loading malicious DLL from the registry.

Reply #8October 21, 2014, 05:14:55 PM

zootoonz

  • Guest
I may have the same problem.  I have an apparently zombified DLLHOST.EXE (shows as "blank" owner) visible in task manager (size ~40404K).  Task Manager will not allow me to kill the process.  Also, RogueKiller does  not identify this instance as problematic, though it does flag the registry item.  As you say, deleting the registry entry does not solve the problem if the process is not first killed.  Do you have any suggestions?

Reply #9October 21, 2014, 05:36:18 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
What does process explorer say about that dllhost process?

Reply #10October 21, 2014, 05:49:55 PM

zootoonz

  • Guest
Private Bytes 40444K Working Set 61284K PID 8464  No description

Parent = <Non-existent process> (1964)

User = <access denied>


« Last Edit: October 21, 2014, 06:08:48 PM by zootoonz »

Reply #11October 22, 2014, 02:22:47 AM

zootoonz

  • Guest
Update on my situation:

Booted in Safe Mode, without network support (no internet).
Opened Task Manager and killed instances of DLLHOST.EXE as they appeared.
Ran Rogue Killer, which flagged the Poweliks Registry entry.
Selected the offending entry and selected the "DELETE" option.
Reran Rogue Killer to verify that the Registry entry was no longer found.
Restarted the computer normally,

Thirty minutes later, I have no symptoms.  If that changes, I'll post again.

Reply #12October 22, 2014, 11:06:31 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
I meant are you able to kill the processes with process explorer.
Ok, so you figured it out; A single scan in normal mode will tell you if it's still infected or not.

Reply #13October 22, 2014, 01:35:12 PM

zootoonz

  • Guest
RE: Process Explorer. 

I could not kill the process with Process Explorer.  (Access Denied)

When I booted in Safe Mode, there was a popup indicating that there was a problem with PowerShell.  This was presumably Poweliks attempting its startup process.

Reply #14October 22, 2014, 03:25:13 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Yes, definitely. It uses powershell to load the payload.
Access denied, it's the first time I see this;