Author Topic: Still No Success Battling Poweliks  (Read 7116 times)

0 Members and 2 Guests are viewing this topic.

October 28, 2014, 05:10:34 AM

Michael Kem

  • Guest
Still No Success Battling Poweliks
« on: October 28, 2014, 05:10:34 AM »
Thank you tigzy, doing as you requested and starting a separate thread here. . .hope this is the right place!

To reiterate,

Without any success with the 64 bit version, I went through the sequence eight times with the 32 bit version, this also didn't work. All the times I did this, I didn’t have any dllhost.exe *32 (COM Surrogate) processes running at any time, so none to shut down, but I also clicked on ‘End Process Tree’ on the main dllhost.exe menu just to be thorough, getting the usual ‘one or more processes in this process tree could not be ended’ message. I would then click on delete in RK as fast as I could, and then with my other finger on the power button, would *immediately* shut down the computer. I can’t imagine being able to do all this any faster.

The only thing I can think of, is that my OS is on a SSD, and is so fast that the malware reloads almost instantly. Beyond this, I haven’t any ideas.

After reading the success that Rookie Williams finally had with using RogueKillerCMD to delete the Poweliks registry entry, I tried this. Unfortunately haven't been able to get RogueKillerCMD to run.

I guess I don't know the correct way to start it in the Command Prompt. It's on my Desktop, and when I type in the seemingly correct sequence, it starts for about 1/2 second, seems to display part of the list of commands and then shuts down. I've tried about 20 different ways but still no luck. For this I apologize.


An unpleasant thought: could Poweliks be able to update itself?

And it's been a bit spooky, for the last six hours or so, only a few small dllhost *32 processes running, instead of a dozen or more starting up every five minutes or so.

Also, didn't have the good luck that Kevin did; starting in safe mode and running RogueKiller did not work either.


Maybe if I could get RogueKillerCMD to run I maybe this all might work.

Again, my thanks!

Reply #1October 28, 2014, 05:35:07 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Still No Success Battling Poweliks
« Reply #1 on: October 28, 2014, 05:35:07 PM »
Hello
No need to use CMD line.
You just need to do the following:

- Start a scan with RK
- Kill all dllhost processes with process explorer (kill tree on the parent process)
- Do the removal with RK
- Reboot immediately (within windows, not with the physical button)

Reply #2October 29, 2014, 03:37:08 AM

Michael Kem

  • Guest
Re: Still No Success Battling Poweliks
« Reply #2 on: October 29, 2014, 03:37:08 AM »
Well, things have taken a strange turn, but in a very good way!

After getting back here today, and booting up the computer, I ran RK again. And to my complete astonishment, Poweliks didn't come up in the scan!  I'm completely at a loss to explain this.

IF I remember right, after I did the procedure in Safe Mode yesterday, on rescanning and checking for it, Poweliks was still there. But I've done the sequence so many times, I really can't remember. . .

I'd guess as well that the lack of multiple dllhost.exe *32 processes I noted yesterday meant that Poweliks had actually been removed at that point.

Maybe the computer needed shut down within Windows as you said. But, I did this hours later.

So I'm hoping that it really has been deleted. I have no idea how I managed this.

Tremendous thanks for all your help again!!! Will be sending a donation after the first of the month, when my paycheck goes through! :P

Reply #3October 29, 2014, 08:38:51 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Still No Success Battling Poweliks
« Reply #3 on: October 29, 2014, 08:38:51 AM »
When I performed the analysis on that malware, I noticed only a very few count of dllhost processes were infected (let's say 25%), the others were just junk processes (maybe the malware is bugged), with no payload.
That's not stunning if you killed the good ones :)