Seen it? Poweliks registry malware / many dllhost.exe com surrogate

Jonathan

Jonathan

Member
Reaction score
13
Location
Sacramento, CA
Seen it? Poweliks registry malware

Symptoms: Many dllhost.exe com surrogate processes gobbling memory / powershell not responding error on startup

Had it twice in the last week.

RogueKiller / ComboFix cleaned the first time. User only saw the system as slow, nothing else. This second is more stubborn and came with a rootkit and FBI style ransomware.

Others must be getting too, any experiences / tips worth sharing?

EDIT: This recently released: http://www.eset.com/my/download/utilities/detail/family/252/#offline,140
 
Last edited:
I had this on a customer's computer earlier this week. The initial complaint was a slow computer, and the customer thought it was a hard drive issue. After ruling out the garden variety malware possibilities, I fired up Process Explorer & noted the multiple dll.exe's (listed as COM surrogate). Roguekiller was able to knock them down, but it's most helpful to kill the processes just before launching RK's scan. They will try to restart - so keep Process Explorer open & keep shutting them down (kinda like playing whack-a-mole.) After starting this process, it only took about 10-15 minutes to get the system cleaned up.
 
ccritchie said:
They will try to restart - so keep Process Explorer open & keep shutting them down (kinda like playing whack-a-mole.)
Click to expand...


You can also use Process Explorer to suspend the offending process right when it starts, and it won't (or hasn't so far) create any more, allowing you to work in peace.
 
ccritchie said:
I had this on a customer's computer earlier this week. The initial complaint was a slow computer, and the customer thought it was a hard drive issue. After ruling out the garden variety malware possibilities, I fired up Process Explorer & noted the multiple dll.exe's (listed as COM surrogate). Roguekiller was able to knock them down, but it's most helpful to kill the processes just before launching RK's scan. They will try to restart - so keep Process Explorer open & keep shutting them down (kinda like playing whack-a-mole.) After starting this process, it only took about 10-15 minutes to get the system cleaned up.
Click to expand...

I did the same, but it came back after a reboot and connecting to network / internet. Thanks for the FRST ref, I'm gonna check it out in more detail
 
Digital Regenesis said:
Symptoms: Many dllhost.exe com surrogate processes gobbling memory / powershell not responding error on startup
Click to expand...

Just started troubleshooting these symptoms. I think it got loaded via a phony Adobe update warning. Like others, the user complained of the system being really, really sloooow.

I ran Bitdefender off line and it found some crap but was oblivious to this.

I got tired of waiting for my tools to open in normal mode since the CPU is handling hundreds of these bogus processes. I tried safe mode but it hangs (10 minutes+) and now I'm stuck watching chkdsk run since I powered off the laptop. It's deleting hundreds of index entries and found some orphaned files.

OK, back in normal mode. MSE is trying its best to kill these processes. The sounds emanating from the laptop are cool. Running water, bits of songs, laughter. This crap has a sense of humor!

I'm waiting, waiting, waiting for Process Explorer to open. Finally! Wow, CPU usage is 110%! Finally got Roguekiller running.

Time for a cool one. I'll continue this nightmare later, hopefully with a buzz.
 
MBAM has done a good job keeping it in check. Same with CryptoPrevent for some of the goodies to come along with it.

Once infected, RogueKiller seems to be doing an amazing job killing and removing it. MBAR has done a done a good job removing it as well. JRT seems to be deleting a lot of the registry entries for it.

Symptoms so far is a slow computer, one of various Ransomwares or Rogue Programs (not usually a tuneup or AV program) doing it's pop-ups. Removal has been pretty easy for the most part. Only a couple have had rootkits associated with them.

McAfee, AVG, Avast and TrendMicro have been failing to even spot this thing at all. Vipre and Bitdefender have been catching and removing it. Norton, ESET, and Sophos terminate the processes before they can start, but haven't removed the program. This has resulted in the process will sometimes start before Norton, ESET and Sophos on a boot, do it's thing, and then you got a problem on your hands.
 
Continuation of thread #9. So I finished this late last night. The client had 3 different infections that were morphing over 6 months, Interestingly, MBAR missed a ZeroAccess rootkit but TDDS found it. I've found the opposite to be true lately.

For me, Combofix was the only tool to kill the Poweliks crap. Roguekiller, MSE, MBAM all missed it. MSE saw it but failed at removing it.

Adwcleaner killed Conduit and other adware crapola.

Also a thumbs up to jkurgeek. I too was killing the numerous com surrogate processes but suspending them was key to stopping them from respawning and keeping the CPU usage down so the tools would run in hours instead of days.
 
I finally had success with kaspersky virus removal tool, then roguekiller, what a pain.
 
How timely, I just had to remediate this tonight for a remote client through IHC! Getting a more current version of RogueKiller was what was finally able to kill the runaway processes and remove the offending registry entries/files.
 
HaveYouTriedTurningItOff said:
How timely, I just had to remediate this tonight for a remote client through IHC! Getting a more current version of RogueKiller was what was finally able to kill the runaway processes and remove the offending registry entries/files.
Click to expand...

The new rougekiller is so colorful, I saw alot of orange, grey entries and only one red, so I only deleted the red, would have spent hours checking out all the orange "possible" detections. Is it safe to delete those as well?
 
Last edited:
ell said:
The new rougekiller is so colorful, I saw alot of orange, grey entries and only one red, so I only deleted the red, would have spent hours checking out all the orange "possible" detections. Is it safe to delete those as well?
Click to expand...

It might even have some "rouge" in it. :)

Rick
 
Saw it last friday once, machine was killing my Internet connection. Combo would just freeze, RK was the only thing that detected it.
 
Interesting how we all have different results with the same tools.
 
Rk is a good program. But I see it miss or not fix this pesky powliks.

I any of you want to attach a fresh FRST log i would like to see it.
 
Saw this for the first time today. Customer actually did some research and found out the dllhost com surrogate issue himself. He was able to terminate the processes without them restarting by disconnecting from the network.

Unfortunately he just wanted a N&P so I couldn't play with it.
 
You must log in or register to reply here.
Back
Top