Some Questions

[drdancm]

I purchased the Premium Technician Version yesterday.

Questions:
1 What is  "Scan Offline Registry". Does it mean I can remove the HD with the infected by dllhost.exe and use another computer to scan the registry of the OS on the infected HD?

If not, is it possible to make your software do that?


2 In the instructions for making the portable version say:

The file will be used then to gain access to premium features while doing your malware removal on your customer’s PC. To use that file, you need to use the command line parameter -portable-license path_to_the_file. You can also name it rk_config.ini and place it in the same directory as RogueKiller exe file.


What does you can also name "it" refer to?  The portable file ? Or a file saved with the command line parameter shown above?
Would you please explain it more clearly.

Thank you.

[drdancm]

All of the advice I have found on the internet is rather old, therefore outdated, and none of the programs recommended (Eset Poweliks Remover, Symantec etc.) including Roguekiller is able to remove the current variant of  dllhost.exe  (Powelik) malware. In task manager you can see it pop up, you can endtask the tree, but it comes right back.

I am totally amazed and disappointed that none of the AVs or anti Malware programs detect it. I understand that it resides in the Registry. So what, most of the anti malware programs scan the Registry.

Roguekiller is my last resort, but it too has failed to remove it. Yes it found a bunch of malware and removed that, but that was probably just some other crap that Powelik let in.

Any help would be greatly appreciated.

Thanks,

Dan

[Curson]

Hi drdancm,

Welcome to Adlice.com Forum.
Thanks for supporting our product.

Questions:
1 What is  "Scan Offline Registry".

It allow RogueKiller to scan unloaded registry hives.

Does it mean I can remove the HD with the infected by dllhost.exe and use another computer to scan the registry of the OS on the infected HD?
If not, is it possible to make your software do that?

RogueKiller is currently not able to do that, but it's a planned feature.

2 In the instructions for making the portable version say:

The file will be used then to gain access to premium features while doing your malware removal on your customer’s PC. To use that file, you need to use the command line parameter -portable-license path_to_the_file. You can also name it rk_config.ini and place it in the same directory as RogueKiller exe file.

What does you can also name "it" refer to?  The portable file ? Or a file saved with the command line parameter shown above?
Would you please explain it more clearly.

Yes, "it" refers to the portable license file, generated from RogueKiller on your "tech machine".

All of the advice I have found on the internet is rather old, therefore outdated, and none of the programs recommended (Eset Poweliks Remover, Symantec etc.) including Roguekiller is able to remove the current variant of  dllhost.exe  (Powelik) malware. In task manager you can see it pop up, you can endtask the tree, but it comes right back.

I am totally amazed and disappointed that none of the AVs or anti Malware programs detect it. I understand that it resides in the Registry. So what, most of the anti malware programs scan the Registry.

All of these programs scan the Registry, but I assume this is a new Powelink variant which use an unusual registry key to maintain persistance on the infected system.

Roguekiller is my last resort, but it too has failed to remove it. Yes it found a bunch of malware and removed that, but that was probably just some other crap that Powelik let in.
Any help would be greatly appreciated.

I will help you remove the infection.
Could you please copy/paste RogueKiller full report in your next reply ?

Regards.

[drdancm]

Thank you for your help.

When I click on Open Report, nothing happens, but after some checking I found the report under

C:\Windows\Program  Data\Rogue Killer\Logs

I hope this is the report you are asking for.  I attached the latest scan 6/5/2016 as well as one of the earlier ones 6/2/2016, just in case the old one is of some help.

I hope that you are not in the area of the terrible floods.

Thanks very much,

Dan

[Curson]

Hi Dan,

None of the reports you posted contain any trace of infection.
Could you please post an exemple of detection ?

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
  
• Please attach log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also attach that along with the FRST.txt into your reply.
  

I hope that you are not in the area of the terrible floods.

Thanks for your concern. I'm not. :-)

Regards.

[drdancm]

I'm very pleasantly surprised by your super prompt attention, and the idea that in fact my clients machine may not have the malware I've bee so worried about.

My experience with the dllhost.exe, is that it starts off rather quiet and then gradually gets worse and worse at slowing down the system. This machine has not slowed down and I was wondering if dllhost.exe showing up was perhaps the normal version doing it's job. However, it is extremely rare that I see it at all on all of the many normally functioning machines that work on, both in my office and those of my clients.

Therefore I was thinking that dllhost.exe was infected, but it had not fully "matured" yet.  And, as you may have noticed from the Roguekiller reports, Roguekiller detected and removed a bunch of other malicious software from this machine.

It would be terrific if in fact dllhost is not infected by Poweliks.

I've attached the reports you advised me to upload, as well as a task manager screen capture. On occasions I've seen 3 instances of dllhost.exe, but usually it is just one. If I end task the tree, it comes back either immediately or a bit later.

I see that there are pieces of Logmein that have not been properly uninstalled. I am currently using a licensed version of Teamviewer to support my clients.

Thank you for your generous help.

Dan

[Curson]

Hi Dan,

My experience with the dllhost.exe, is that it starts off rather quiet and then gradually gets worse and worse at slowing down the system. This machine has not slowed down and I was wondering if dllhost.exe showing up was perhaps the normal version doing it's job. However, it is extremely rare that I see it at all on all of the many normally functioning machines that work on, both in my office and those of my clients.

I analyzed the reports and found no malicious entry.
This computer seems clean.

However, many security softwares are installed, which could cause conflicts.

Microsoft Security Essentials
avast! Antivirus
Comodo Defense+
WinPatrol
Spybot - Search & Destroy
Malwarebytes Anti-Exploit
Malwarebytes Anti-Malware
Malwarebytes Anti-Ransomware

I suggest you to keep only one of each kind (one antivirus, one firewall, etc.).

Therefore I was thinking that dllhost.exe was infected, but it had not fully "matured" yet.  And, as you may have noticed from the Roguekiller reports, Roguekiller detected and removed a bunch of other malicious software from this machine.

All of the entries in the reports are legit IRP hooks and are only displayed because you checked the "Show legit hooks" checkbox.
You don't have to worry about them.

It would be terrific if in fact dllhost is not infected by Poweliks.
I've attached the reports you advised me to upload, as well as a task manager screen capture. On occasions I've seen 3 instances of dllhost.exe, but usually it is just one. If I end task the tree, it comes back either immediately or a bit later.

DLLHost (Distributed COM DLL Host Process) is used to manage dynamic libraries using COM objects and interfaces. It's usual to have more than one instance of it running at the same time.

I see that there are pieces of Logmein that have not been properly uninstalled. I am currently using a licensed version of Teamviewer to support my clients.

Indeed. Would you like me to write a script to remove it completely ?

Thank you for your generous help.

You are very welcome.

Regards.

[drdancm]

I'm sorry for the late response but I was so busy with other matters it completely slipped my mind, now that the problem was resolved.  I appreciate your offer for the script, but I've already dealt wit that.

As for the additional security programs causing incompatibilities, I have not seen any and I have the very same, setup on at least 15 machines.

Once again I must thank your for the super prompt help response and overall terrific support for an excellent program which is priced low enough to be a real bargain.

Thanks Very much,

Dan

[Curson]

Hi Dan,

You are very welcome.
Thanks for the kind words.

Regards.