• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

My Windows 7 computer started to run sluggishly.  Window Task Manager reveal many copies of the dllhost.exe *32 processes running (about 30).  Scans run by Norton 360 and MBAM showed no infection (cannot remember if I ran the scans after rebooting).  My system began to run slowly again.  Again, many copies of the dllhost.exe *32 process were running.  I tried ending the processes, but only could only gain traction in doing such after disconnecting from the internet.  Did not end all of the processes; rebooted instead.  Upon restarting, Windows 7 flagged that there was a problem with powershell and gave me the option of looking for a solution online (which I did).  Scanned with Norton 360 and found 4 viruses (Trojan.Poweliks!gm three times and Trojan.Viknok.B!inf once); multiple *.tmp files in c:\windows\syswow64 were removed; file getsi.dll from c:\users\..\appdata\locallow was removed.  Status in Norton 360 Security History is shown as Quarantined.

I suspect that a script is being run in powershell which infects my computer with Trojan.Powerliks!gm; multiple dllhost.exe *32 processes are started by the script or by the virus.  Norton 360 is not preventing the infection (although a small Norton 360 window pops up in the lower right-hand corner of my desktop saying it has blocked an attack).

Currently, I have blocked powershell.exe from running (a copy exists in c:\windows\system32\windowspowershell\v1.0 and in c:\windows\syswow64\windowspowershell\v1.0).

I'm not sure what triggers powershell to run.  I connect to the internet, showing Task Manager so that I can monitor the processes, and visit website that I know to be safe.  Eventually, the many copies of dllhost.exe *32 are kicked off and I've got to go through the whole process to clean my system again.  Does anyone have any ideas?  I ran Norton Community Watch to pass information collected to the Community.

Replies

  • 1
  • 2
Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

F4E:

Maybe this will help. AFAIK, no files are downloaded so nothing for AV's to detect.

http://www.symantec.com/security_response/writeup.jsp?docid=2014-080408-5614-99&tabid=2

Fair enough. But Norton Internet Security seems to be advertised to do more than that and seems to have fallen short in this case at least.

Complete peace of mind, stops both today's and tomorrow's threats are awful broad statements to make and have to live up to...

From http://us.norton.com/internet-security/ :

Go anywhere online. Safely.

Introducing the new Norton™ Internet Security.

Complete peace of mind for where you go and what you do online

  • Keeps you safe when you surf, shop and bank online
  • Warns you about social media scams and suspicious content
  • Stops both today's and tomorrow's threats
  • Blocks infected and dangerous downloads
  • Reduces PC startup time and boosts performance
Kudos2 Stats

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

(I'm new to forums) Not sure if this is a solve or not: Norton appears to have updated the Trojan.poweliks removal tool as of yesterday (11/10/2014).

I ran it...in which it stopped dllhost.exe from running.....deleted 2 registry values....and said poweliks was removed....

AND....

I'm cautiously optimistic that it has been.....

SO FAR....

I no longer have multiple dllhost.exe processes running (which sent processor to 100%)....my Internet Explorer settings are not being reset....history no longer being deleted and so on... 

I have seen lots of people with this issue recently and very complicated solutions being suggested...THATS why I'm NOT FOR SURE that this is NOW(11/10/2014) a solution

ANY input would be greatly appreciated!

Thank You!

Kudos2 Stats

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

rcall:

(I'm new to forums) Not sure if this is a solve or not: Norton appears to have updated the Trojan.poweliks removal tool as of yesterday (11/10/2014).

Trojan.Poweliks Removal Tool
http://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-0511-99 
Thanks rcall for posting info and your experience
Welcome to the Community

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Norton provided me with this fix that they came up with two days ago. Download [ www. symantec.com/content/en/us/global/removal_tool/threat_writeups/FixPoweliks64.exe] for 64-bit computers and [www. symantec.com/content/en/us/enterprise/media/security_response/tools/FixPoweliks32.exe] for 32-bit computers. So far it seems to have worked.

[Edit: Removed hyperlinks to direct .exe files]

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

My husband has this on his computer and finally asked me to look at it. I  noticed that not only is it starting up multiple dllhost.exe but that it is writing to the temp area.  I removed close to two million files that it created so please check this as well.  I've tried for days with no solution and finally found this thread where there are suggestions to work with somebody which is what I intend to do.  Most solutions all seem to ask you to download something which is the last thing I want to do.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Just as an update... I called Norton and asked them if I could receive a refund of my $99 since they are offering a fix on their website www.norton.com/trojan and they did refund my money.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

So you got back your the money you gave for removal service? Thats great!
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Hello I believe this is happening to my computer, it started last week. My system is completely bogged down. I am getting the powershell has stopped working message, my usernames will not save on yahoo, etc., I can see many copies of the dllhost.exe *32 processes running in task manager and my cpu is 100%. I just paid staples $130 (I bought my computer there) for virus removal found through Microsoft essentials. I do not know the names but they were Trojans, so I think I just wasted $130 since I still have the issue. Question....I don't know the names of the Trojans but it is ok to run this Norton powelik fix? please help?? Is there any harm done if I run this and its not powelik (although it sounds like exactly what is happening) I don't want to cause more damage. note: my system has been perfect for 2 years since I bought it. Any info would be greatly appreciated.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Hi bostongirl
Just to confirm.  You run MSE not a Norton security product.  You paid for malware removal and still have malware.  You are not going back to Staples for them to resolve or refund.
You want to run Norton Poweliks Removal Tool.  Not knowing what infection you may have on your system. & Will it harm your system?

Time to visit one of the free Malware Removal Forums recommended by the Community
https://community.norton.com/forums/malware-removal-forum-recommendations

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Is anybody else noticing that not only does it continue to open dllhost copies but that it is also writing to your computer in temp directory.  I observed every time one of the copies of dllhost opened, it also wrote a file to my temp directory. 

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

It appears that the malware infects the user profile as no other users exhibit the behavior on my infected machine.  I have not deleted the infected profile yet as I wanted to try to clean it. Today I tried the updated poweliks removal utility and the only record in the log file was "Failed to take ownership of CURRENT_USER\Software\Classes\CLSID registry key".  I tried running as a admin from a normal user profile as well as when logged in as admin.  I have not attempted the manual steps.

@texflood, I too would like a good explanation in order to feel that I could address the problem by deleting the user profile.  I also want to understand my real exposure.  Luckily, I do not run as an admin, so the admin profile is most likely not infected.  The reason I believe this is that with other profiles, I do not see multiple dllhost.exe instances, nor does malware bytes or NIS block malicious outbound calls.  I did speak to a hacker friend of mine and he told me that this malware reflects a new trend of transmission through infected ads, making drive-by infections easy to accomplish.  On this particular machine, I have now changed the default search engine to Norton safe search via ask.com.  Not the best search experience, but if it keeps my kid from stumbling into a trap, then it is worth the reduced richness.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Fwiw, Firefox now gives the option of using DuckDuckGo as your search engine.

https://duckduckgo.com/

Windows 10 Home X 64 Norton Security Premium Current
Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

dllhost etc  obviously a wide spread problem; including to me  Disappointed that Norton 360 will not fix....is there any other commercial malware removal programs that will fix it?  I've contacted Quad but it has now been 9 days since then and I have not received any recommended fix....meanwhile the machine is almost useless.

Any suggestions?

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

ozarkcountry4:

dllhost etc  obviously a wide spread problem; including to me  Disappointed that Norton 360 will not fix....is there any other commercial malware removal programs that will fix it?  I've contacted Quad but it has now been 9 days since then and I have not received any recommended fix....meanwhile the machine is almost useless.

Any suggestions?

Did you register and start a Thread at Quads Protected Forum
http://qmalwareremoval.freeforums.net/board/2/malware-removal-protected
That is the recommended fix if I way speak for Quads
Malware Removal Forums are busy...get in line is my best advice
If you did start a Thread ~ Did you follow all instruction exactly.  If not odds are you may not get a response.
Don't post to another Forum or use your computer as normal until declared clean

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Yep, done all that.  But my last response from Quad was 9 days ago and said, "Be Patient".  How patient?

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

I've never posted at Quads Forum
I know at other Forums they post instruction if helper does not respond within Xdays do this....anything like that @ Quads
Can you see your Thread is there any message....
Last post I read here from Quads mentioned an update to the Norton Powelik Removal Tool
Quads has posted he is working on 300 systems.  So, how patient...maybe very patient.
I can only caution you not to start a Thread somewhere else.  They shun shopping Forums.
In practice even posting here may be detrimental

Norton Support provides free malware remediation if you have Norton Virus Assurance subscription # or VPP What is Norton Virus Protection Promise?
Norton Support provides fee based malware remediation http://us.norton.com/nortonlive/spyware-virus-removal.jsp
Comments about Norton malware remediation have been mixed afaik

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Like bjm_ said, please be patient. That malware is very tricky and hence a lot of people got infected.
It slipped through a lot of commercial security software like Norton, Bitdefender, Kaspersky etc. So forums got flooded.
Since you are now seeking help from Quads, please stick with his instructions.
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Thank you so very much for the links!

You saved my computer. I tried everything. From finding un-finalized video files on my computer to running powerful cleaners of all kinds (including N360 and IObit malware cleaner). The only thing that helped was cleaning that damn poweliks trojan using the removal tool you posted. Bye bye dllhost.exe!  I want to hug  you! 

By the way, another issue that has been resolved by removing that stupid poweliks trojan was my inability to download files via internet explorer. My computer is fully updated that that mystery gave me quite a headache... now I know the reason for that 'error'. 

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Zohar:

Thank you so very much for the links!

Thanks for the feedback

  • 1
  • 2

This thread is closed from further comment. Please visit the forum to start a new thread.