• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

My Windows 7 computer started to run sluggishly.  Window Task Manager reveal many copies of the dllhost.exe *32 processes running (about 30).  Scans run by Norton 360 and MBAM showed no infection (cannot remember if I ran the scans after rebooting).  My system began to run slowly again.  Again, many copies of the dllhost.exe *32 process were running.  I tried ending the processes, but only could only gain traction in doing such after disconnecting from the internet.  Did not end all of the processes; rebooted instead.  Upon restarting, Windows 7 flagged that there was a problem with powershell and gave me the option of looking for a solution online (which I did).  Scanned with Norton 360 and found 4 viruses (Trojan.Poweliks!gm three times and Trojan.Viknok.B!inf once); multiple *.tmp files in c:\windows\syswow64 were removed; file getsi.dll from c:\users\..\appdata\locallow was removed.  Status in Norton 360 Security History is shown as Quarantined.

I suspect that a script is being run in powershell which infects my computer with Trojan.Powerliks!gm; multiple dllhost.exe *32 processes are started by the script or by the virus.  Norton 360 is not preventing the infection (although a small Norton 360 window pops up in the lower right-hand corner of my desktop saying it has blocked an attack).

Currently, I have blocked powershell.exe from running (a copy exists in c:\windows\system32\windowspowershell\v1.0 and in c:\windows\syswow64\windowspowershell\v1.0).

I'm not sure what triggers powershell to run.  I connect to the internet, showing Task Manager so that I can monitor the processes, and visit website that I know to be safe.  Eventually, the many copies of dllhost.exe *32 are kicked off and I've got to go through the whole process to clean my system again.  Does anyone have any ideas?  I ran Norton Community Watch to pass information collected to the Community.

Replies

Kudos3 Stats

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Kudos1 Stats

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Hi kmcard:

You can find more information on this malware in the SecurityWeek article "Poweliks" Malware Uses Windows Registry to Avoid Detection.  I'd agree with bjm_ that you should register with one of the free malware removal forums recommended by delphinium ASAP and let a trained specialist work with you one-on-one and guide you through the removal process.
-------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 32.0.1 * IE 9.0 * NIS 2013 v. 20.5.0.28
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Kudos2 Stats

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Poweliks has different keys that it targets to use, including now using a Windows registry key that is not to be deleted, Poweliks just modified the key for itself,  In effect changing the target from a Windows file to just its code. 

Quads

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

@ kmcard.  My friend's computer has this same problem.  Numerous (about 30) dllhost.exe processes running in task manager which is using up all the cpu, it's extremely slow with repeated/slow blinking hourglass icon. Also getting the error "Powershell has stopped working", and has the option to close or to go online for a solution but when I click on that, it does not find a solution.  I am not clicking on that anymore, just closing it instead.  It has been scanned several times with the Malwarebytes scanner but finds nothing.  The AVG 2014 scanner also finds nothing.  It seems to run fine when I disconnect the wireless connection or when in safe mode. It has windows Vista. I am going to try and block powershell from running.  If anyone knows how to fix this, please let me know.  This all started about the 22nd of this month.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

The thread creator (kmcard) has joined my forum for more advanced help of removal and repair (depending on variant) 

Quads

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Stalkedwhisper do not try and fix someones system when you really don't know what you are dealing with or how to fix it, you can cause a BIGGER HOLE and you end up in a worse state.

Quads

Kudos1 Stats

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Hi, Stalkedwhisper. I suggest your friend visits one of the free malware removal forums bjm_ suggested.

They are experts who will help clean the system. Pick one, and stay with them until the computer is declared malware free.

Windows 10 Home X64 Norton Security Premium---Current
Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

I had the same problem yesterday, Norton360 did not stop it from getting in. But after many scans and trying to delete the file.

I just did a Full system restore back two days and better than new. I have a widget on windows 7 that shows hard drive and mem usage, this file was using

100% disk and 50/60 memory out of 10 megs. There went 6 hrs of my life.

The restore did screw up the Norton had error mesg that the antivirus and internet protection were not active, could not restore it with fix, so had to redownload it and works fine now.

hope this helps.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

photopd wrote:
I had the same problem yesterday, Norton360 did not stop it from getting in. But after many scans and trying to delete the file.
I just did a Full system restore back two days and better than new.
The restore did screw up the Norton had error mesg that the antivirus and internet protection were not active, could not restore it with fix, so had to redownload it and works fine now.

fwiw ...You have no way of knowing you had the same problem.   System Restore is not recommended.  System Restore is not recommended for malware remediation.  As you found out System Restore breaks Norton.  If you cannot resist System Restore then disable Norton Product Tamper Protection.
Respectfully submitted

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

I have the same situation on 1 of my PC's, the best i have found so far is Malwarebytes, it will detect and quarentine the the file but has not been able to completely remove the virus i.e the minute you physically exit Malwarebytes the offending dllhost.exe file places its self back on your pc. I you look in C:/Users/"your_username/Appdata/Roaming you will find the file. Now here is the really scary part, you will also find a file named "dllhost.exe.tmp" there and if you edit it with say notepad you will see that it is recording your every keystroke.

Below is some of the text from the file I am talking about that I have just now copied and will paste:

14/09/30 dragon SniperSA | Norton Community - Comodo Dragon
Sn1per@Sn1perS@[Back][Back][Back][Back][Back][Back][Back][Back][Back][Back]Sn1perS@
14/09/30 dragon Home | Norton Community - Comodo Dragon
Sn1per[Back][Back][Back][Back][Back][Back][Back][Back][Back][Back]SniperSA[TAP]
Sn1perS@
14/09/30 dragon Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7 | Norton Community - Comodo Dragon
I have the ame situation on 1 of my PC's, the best i have found so far is Malwarebytes, it will detect and quarentine the the file but has not been able to ompleel remor[Back]ve the virus ie the minute you physically exit Malwarebytes the offending dd[Back]llhost.exe file places its self back on your pc. I you ook in C/Users/"your_usr[Back]ername/Appdata/Roaming you will find the file. Noe [Back][Back]w her [Back]e is the relly scary part, youe will also fins[Back]d [Back]a file named

there and if you edit it with say notepa you ill see tht it is ecoring your every esroke.[ENTER]
Here is a part of the file I am talking to[Back][Back]about:[ENTER]

As you can see this is serious and any help anyone can offer will be appreciated, in the mean time I suggest DO NOT DO ANY FORM OF FINANCIAL OR PERSONAL TRANSACTIONS ON YOUR PC. 

Sorry for the CAPS not meant to be offensive just a warning to those in the same situation.

Mike

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Hello SniperSA
When you piggyback on to an established Thread you diminish your chance of being helped as well as the OP
The Community does not recommend malware remediation sans the over-site of trained malware removal experts

Please visit one of the free Malware Removal Forums recommended by the Community
https://community.norton.com/forums/malware-removal-forum-recommendations

The Community does not have the training nor the facility for malware remediation.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Hi bjm

Apologies did not mean to diminish the Thread in  any way, my 1st intention was purely to mention some other more alarming facts I have managed to find wrt the virus in discussion here that we are all commonly suffering with in order to try and minimise potential impact on the others also suffering with it. I will see if I can remove my post above or get in contact with one of the forum moderators and request that it be removed.

Thanks

Mike

P.S Thank you photofpd, fortunately I know exactly when I got the virus and by doing a restore to prior to that date I seem to have rid my pc of it.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

There are times Poweliks can not be shifted by System Restore (let alone breaking Norton and anything else).  I know the reason why it cannot. I tested poweliks on my system to find what struggled with certain changes of Poweliks  and why, then gave the info to other MR's and tool creators.

It is nice that the user used System Restore to break things and remove a virus that did not exist,  Why Poweliks is not a Virus

Quads

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Hello SniperSA

Apologies did not mean to diminish the Thread in  any way,

Diminish was a poorly chosen word.   Certainly, all contributions are welcome.  The Community is user to user.
Please except my apology.
Respectfully submitted

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

I also have been the victim of this. I think I finally 'fixed' it by doing the following... I ran a complete scan of my computer using Norton 360. This found 60 infected files in sub folder C:\Windows\Syswow64. The infected files were .tmp files and were automatically deleted. After I rebooted It still started creating those damn dllhost...files. Using task manager, I stopped all of those files that were associated with the dllhost.exe 32 file residing in the "Syswow" folder. As soon as they were stopped(and before any could be restarted) I deleted the dllhost.exe 32 file in the "Syswow" folder. That meant having both task manager open and explorer opened to that folder.

I monitored task manager the next few times I ran the computer and no more than one dllhost.exe file ran at any time. I think the key is that you need the dllhost.exe file in the "System32" folder, but not the one in the "Syswow" folder. I did get an error message the first time I shut down the computer after doing all this. For the last three days, everything seems to be working fine. The good news is I rarely use more than 25% of my cpu. Before I was choking near 100% . Hope this helps someone. Btw, I am running Windows 7.

Kudos3 Stats

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Do not Delete dllhost in the Syswow64 folder it is meant to be there and is for Windows (Microsoft).,  It is just being used by the infection,

The User above is a newbie for a reason and their fix should not be used as it is wrong,  The user also has NOT dealt with the infection correctly,  No mention of the registry or removal that is correct, this means the system now has a windows file missing that shouldn't be 

A WARNING TO OTHER READERS, do do the deleting of dllhost and dig an bigger hole.

The file (Microsoft Corporation) C:\Windows\syswow64\dllhost.exe Belongs there for a x64 system 

I hope the user removes the infection and repairs the system due to there screw up.

Quads 

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Also I have completed the removal of poweliks and system tidy up of kmcard's system  (the user who created this thread) so it is Solved / Fixed without deleteing any legit Windows file.

Just noticed that the BAD instructions have "possible solution" for it,   Someone has to be kidding me.

Quads

Kudos1 Stats

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Just noticed that the BAD instructions have "possible solution" for it,   Someone has to be kidding me.

Quads,

The creator of that post marked it as a possible solution.  Above the editing toolbar is a box you can check if you think you've solved the OP's question.

Cheers. 

A little bit of knowledge is... well a little bit of knowledge.
Kudos1 Stats

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Thanks to all that responded to this thread.  Quads from qmalwareremoval.freeforums.net (one of the Norton community recommended malware removal sites) helped me to remove Poweliks from my system.  Anyone who gets infected with Poweliks should seek help from a site that specializes in removing malware--with help, it took over a week to make sure that it was completely removed.  Thanks and kudos to Quads for the time and effort!

That being said, I'm a little frustrated that Norton 360 was unable prevent the infection and it would be nice if it could.  But I realize that no virus protection software is going to be 100% effective 100% of the time.  However, I'm even more frustrated that N360 claimed to have removed Poweliks from my system; but it did not, at least not completely.  Maybe once they get a better handle on how it makes it way into a computer, they'll be able to completely remove it and to block it so that it does not becomes a problem.  I'm grateful that there is a Norton Community and other sites like qmalwareremoval that have great people who are willing to help clean systems and get us back to computing when evil malware slips through the cracks.

Thanks again, everyone!

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

so last night I found this lovely piece of work on my computer after watching some TV shows online, after about an hour my firewall told me that a dllhost.exe was trying to access the net, so I looked it up and found that its a "safe file" so I allowed it. then the dllhost.exe * 32 started continuously opening itself (replicated over 40 times ) to the point of crashing my computer. when my computer rebooted I open task manager and watched as it started to replicate again, as well as my CPU and Net performance spiked to over 90%. I disconnected my computer from the network and rebooted my pc, after the reboot the dllhost.exe * 32 didn't re-open itself. however as soon as I plugged back into the network it started up again. here are a few easy work a rounds that worked for me.

 I found a few easy work a rounds that at least stop the dllhost.exe * 32 from replicating itself and bogging the system down. disconnect from your network, reboot your computer, then go into your firewall and block the DLLHOST.EXE from the internet, this should allow you some time to get some help without your computer crashing. ( according to Microsoft the dllhost.exe does not need network/internet access, ("The COM Surrogate (aka, DLLHOST.EXE ) is a fancy name for Sacrificial process for a COM object that is run outside of the process that requested it. Explorer uses the COM Surrogate when extracting thumbnails, for example. If you go to a folder with thumbnails enabled, Explorer will fire off a COM Surrogate and use it to compute the thumbnails for the documents in the folder" posted by : Jessen P January 31, 2014 Microsoft Support Engineer ).

After I blocked the dllhost.exe from the network I set to running some cleanup on my computer. antivirus wont find this because its not a virus. However the Microsoft tech suggested to try this (Microsoft Safety Scanner  http://www.microsoft.com/security/scanner/en-us/default.aspx ) not because it only looks for viruses but is supposed to look for windows files that have changed but weren't suppose to. I didn't try this, I used some of my own cleaners that worked well. However the dllhost.exe file was still in my task manager but NOT replicating.

Again this an easy work around that worked for me, after I finish my cleaners and saw that the dllhost.exe*32 was in my task manager but not replicating,  I said screw it. I looked up when my last backup was made, then backup my important data on a thumb drive that had changed since the last backup. I then resorted my backup and this fixed the issue, however if your not sure when you got this dllhost.exe problem this might not work for you.

This work around also allows you to backup your important data that you want to save if you don't feel like talking to a professional malware tech and just want to format and re-install your windows OS.

Kudos1 Stats

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Systems are now turning up with Poweliks that has more than Poweliks but other Malware like Tracur and Ransomcrypts (Cryptowall etc)

So there is a bit to remove from a system,  Even had one system where Poweliks was SYSTEM Protected

It is better to see what is on a system first by logs to see what else is there that shouldn't be

Quads

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Over this weekend I infected my laptop with this wonderful piece of work so I could trying to find a few cleaners that would find it and remove it.

This is just another work a round and Quads is right about the log files, ( I know how to read them and what I'm looking for but if your not sure what your looking at ask for help from a professional malware tech. ) I found a few cleaners that will see the Trojan.powerliks, dllhost.exe*32 processes and remove it without to much problem. However they are powerful and can remove important files for windows if you don't know what your looking at, so ask for help if you don't understand what your seeing.

The cleaners are RogueKiller for 32bit or 64bit, or  AdwCleaner by Xplode, also Junkware Removal Tool, download the newest version of the cleaners onto a clean computer then copy them onto a flash drive. Make sure the infected computer is disconnected from the network/internet this will help keep the DLLHOST.EXE from replicating. you will also need to turn all your anit-virus and/or firewalls off because these cleaners will clash with everything.

Copy the cleaner or cleaners from your flash drive to the desktop of the infected computer for easy access. Choose one cleaner, then right click on the cleaner, in the drop down menu click Run as Administrator. Then let the cleaner do its thing, when your done using the cleaner make sure you uninstall it. These are powerful cleaners and they can pull files that are not viruses so if you don't know what your looking at ask for help.

Now, the only problem I had with removing powerliks, this way was that even after the cleaner found it didn't want to remove it. so I had to open task manager find the DLLHOST.EXE*32 (it will be ran by USER not SYSTEM ) right click it and in the drop down menu click end process tree, then run the cleaner again.

I'm not a professional malware tech but I am a network/cloud professional, so again if you don't know what your looking at ask for help. I posted these here for people like me who know what were looking at but don't want to spend the hours looking through our registry or crash dump logs, also Farbar Recovery Scan Tool for 32bit/64bit is a wonderful tool for creating log files and they are easy to read.

I hope this help, but quads is right if you don't know what your doing ask for help

Firnyn

Kudos1 Stats

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Warning: TRYING OUT DYI IS ALWAYS AT YOUR OWN RISK!
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Systems appearing at the moment users have tried Roguekiller with No success,  Adwcleaner and JRT won't anyway and JRT will remove part of Norton

FRST is an advanced tool and even then I have had 2 systems where in the proper hands FRST could not deal to Powliks either.

Had to use a second program with FRST and script all at the same time 

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

WORK AROUND:

Ok, this worked for me.  Before trying this fix I recommend you turn off your internet access\wifi to slow it down.

This Trojan runs a line of javascript from the registry key. If you remove this key it will only recreate it. I have a work around, since I cannot locate the program that is recreating this.  I located the key by running the latest version of Rogue Killer. It then showed me the path of the registry. I did not delete this through RogueKiller since it will only recreate itself...

The path of the offending virus registry  on my computer was:

HKEY_USERS\S-1-5-21-3307227288-2313220994-4118584292-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32

With this you need to move quickly on this part:

1) Delete\edit the two registries. (a) and (default-which will stay but show no value). 

2) Then quickly move to this folder (parent of local32):

{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}

Right Click file to change\edit permissions.

Uncheck inherit permissions box.  (May be under advanced button), then remove all users except yourself, give yourself ONLY read and DELETE permissions (you can always add yourself back later). This MUST be done BEFORE the virus recreates the registry.  SO be ready for this. Maybe even practice. Reboot. Log in. Go to Task Man and monitor CPUS. if goes up to 100, repeat this because you did not move fast enough in deleting and changing permissions.

-Megan

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Doesn't work at times and I should know.   What about the rest of the running files and items, yeah you forgot about  that.

That is nwhat happens with no logging and if finding the system is different or nulled.

Quads 

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

I believe I'm having the same problem. It showed up a few days ago. I very much would like help fixing it.
Kudos1 Stats

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Hi, phreakchica.  Welcome. This is a user forum, and we are not trained in malware removal. Don't try to fix this, yourself

Sign on with one of the free malware removal sites listed, where an expert will work to clean your system.

https://community.norton.com/forums/malware-removal-forum-recommendations

Windows 10 Home X64 Norton Security Premium---Current
Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

I caught it early enough I could do a system restore to five days earlier after I ran Norton Internet Security to remove Poweliks and the other Trojans it was dropping. It worked. Ran Norton and system comes up clean. Process Explorer and TCPview from Microsoft Sysinternals download no longer show multiple instances of dllhost.exe. It is not even loaded or running.

One would have to catch the infection early enough not to cover up all one's clean system restores though for this to work.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

The powliks infection come via hacked websites, websites hosting toolkits, malicious websites, adwares, popups etc. There are a few guidelines to secure your system from these. Visit : https://community.norton.com/forums/how-i-stay-safe-online
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Hi folks,

I've read though this thread trying to find a solution to this trojan horse, or whatever it is.  I found the answer at http://www.tomsguide.com/answers/id-2345254/laptop-infected-called-power...

Good luck!  It took me a handful of times going through the process, but it worked.  You have to download RogueKiller and Process Explorer.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Hey everyone,

I wanted to share my experience since this forum seemed to help kick-start my solution process. I think it's fixed but I'm not sure how long I have to watch the task manager before I know for sure. (Any ideas?)

Windows 7 Professional, 64 bit, Dell PC. I started noticing sluggish performance at around 8PM CST last night. I pulled up the Task Manager and noticed several dllhost.exe *32 processes. I just started cruising Google trying to find out if this was normal and what to do about .The first thing I did was download and run the Norton Power Eraser. It detected one threat and quarantined it, I deleted it but the multiple "dllhost.exe *32" continued to stack up. After 10-12 of them would stack up,I would end them all and wait for them to build up again.

I found this website at malwaretips.com. http://malwaretips.com/blogs/dllhost-exe-32-com-surrogate-removal/ I downloaded and ran EVERY detection/removal tool it lists in the order it lists. This took 2-3 hours. During this process, the dllhost.exe processes never stopped piling up. The RogueKiller tool seemed to be the only one that actually found something that appeared to be a possible cause. I deleted it but the dllhost pile continued to grow. Once I finished the entire list of tools, the dllhost.exe processes were still coming. It was after midnight and I had to go to work the next morning(today) so I shut the computer down and went to bed fired the computer up the afternoon about 4PM CST and have been watching the Task Manager like a HAWK. I've seen one or two dllhost.exe processes, one is in the System32 folder and the other is in SysWOW64...

And now the dllhost.exe processes have started piling up again... It's NOT FIXED I guess.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

That is why we have been saying over and over to NOT try and fix this yourself.

"Please sign up for assistance from one of the free malware removal sites.  Please pick one and stay with them until your system is clean.

https://community.norton.com/forums/malware-removal-forum-recommendations "

A little bit of knowledge is... well a little bit of knowledge.
Kudos2 Stats

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

I contacted Norton support though the online chat feature... Two hours and $99 later, all fixed! I watched the Norton Expert work and I don't believe anyone without programming experience could fix this problem themselves... Not saying they couldn't but... wow. 

Save yourself the headache and have someone else fix it!

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

If you go to http://www.tomsguide.com/answers/id-2345254/laptop-infected-called-power... there are explicate instructions how to do this.  You download a free malware program called RogueKiller and a free program from Microsoft called Process Explorer.  Open Process Explorer and RogueKiller at the same time.  Run one and then the other, and then reboot your computer.  Follow the instructions and it works.  One person had to do it twice.  I had to do it 4 or 5 times.  Good luck.  If you want to pay big bucks to have someone else do it, then I guess that's fine, but you can do it yourself for free. 

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

As you can, if you go to one of the free malware removal forums we recommend. They'll fix your system, and they know what they're doing. Did I mention they're free !

Windows 10 Home X64 Norton Security Premium---Current
Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

They ( the UNITE trained malware removalists ) will also fix the unnecessary craps and other malware which may be in your system. Powlik is not alone. It calls a lot others to visit the infected system.
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

After trying Norton Power Erasure, Malwarebytes, SuperAntispyware, and a bunch of others,ComboFix worked for me.

JMHCS

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Caught this devil while trying to fix drivers on my computer. Bad idea aparently.

It's absolutely symptomatic of what is being described in this thread. I noticed it when windows power shell started repeated having an illegal operation... when I tried to play a game, it got super choppy. I checked the windows task manager and found over 9000 copies of DLLhost going. Nice.

Presently, I've changed ownership of DLLhost and renamed it to DLLhost.tmp.exe .... And this seems to have prevented the DLL replication... And I'm able to access the net.

I'm presently doing my best to destroy this damn thing.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

I say with extreme anxiety that combofix MAY have fixed the problem................................

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

The virus remains... minus the DLL replication and extreme lag. Every couple minutes, my computer now halts for about 7 seconds or so.

Housecall, avast, spybot, all detect no viruses or spyware.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

As Krusty13 says, trying to fix this yourself is not worth the aggravation, especially when you can use the free malware removal forums he mentions in his post.

Windows 10 Home X64 Norton Security Premium---Current
Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Confusing that ComboFix worked for me but not Muthsera. Been 5 days now without a recurrence.

JMHCS - Since 1996

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

jmhcs:

Confusing that ComboFix worked for me but not Muthsera. Been 5 days now without a recurrence.

JMHCS - Since 1996

ComboFix also worked on the computer of the individual who I helped with this yesterday. I did see some hits in the Symantec logs late yesterday after running ComboFix. Symantec reported it as fixed but had been doing that all along however would return next morning after computer was booted. But this morning all was well. So to be completely accurate, it was a combination of ComboFix and Symantec Norton Internet Security that did the trick in this case. Running a full scan just to be sure but looks like the problem is resolved. Update, the full scan found & removed tracking cookies as usual and removed the infected files in quarantine, nothing actively malicious found. Guess I should say Trojan.Poweliks.gm is gone so far as I can tell. Symantec is not reporting it any longer and no other symptoms, no freezing other other issues. Perhaps Muthsera didn't have Symantec or equivalent enabled to intercept and remediate the last vestiges of Trojan.Poweliks.gm? Not sure.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Combo fix got part of it. I uninstalled avast, which found nothing, and installed norton, which found 68 problems. The hiccups are gone. Hooray.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

If you havent used the removal tool from avast! Please download and run it from http://www.avast.com/uninstall-utility to avoid any possible issues in future.
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Just found that I have this malware as well.  I saw a post that suggested this malware makes changes to the user's registry hive.  I login as a normal user (non-admin) on Windows 7, so there should be no way for the malware to make changes to system keys or files that require admin permissions.  Do you think it is possible to simply delete the infected user profile?  I have created a new user profile, and do not see the replication of dllhost.exe COM surrogate,  nor is malware bytes or Norton seeing access to fffsee.com or other various IP addresses.  Side note: An interesting point is that Norton Internet Security did not block any outbound connections to malicious addresses until after installation of Malware Bytes.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Hello experts,

I am running the latest version of Norton AV on a Win7 box w/ only Standard User access and default Windows firewall settings. Tonight I received two Powerliks attacks and noticed that when Norton blocked the offending trojans, my TV media streaming device was kicked offline. I rebooted, reset the modem, router and switch, and it happened it happened again right after the second attack.

My question - Does Norton AV immediately block or restrict network access at the router level when malware is detected? I am wondering why streaming device went down each time... I am hoping the answer is yes, because my particular streaming device uses java and I'm wondering if any of the Powerliks family was able to harvest my Netflix, Amazon, etc account information.

Thank you so much in advance, this community rocks.

Peace.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

I helped get rid of it on a relatives PC. I wasn't there when it happened and didn't find enough in logs to tell me anything useful. All I know is she was googling around looking up a quote she can't remember, saw a warning flash on the screen and after that was infected. NIS has kept her pretty safe but not this time. Would like to better understand how this infects. Nothing I have read so far explains it on a level I can understand.

Kudos0

Re: Trojan.Poweliks, multiple dllhost.exe *32 processes, and powershell on Windows 7

Maybe this will help. AFAIK, no files are downloaded so nothing for AV's to detect.

http://www.symantec.com/security_response/writeup.jsp?docid=2014-080408-5614-99&tabid=2

Windows 10 Home X64 Norton Security Premium---Current

This thread is closed from further comment. Please visit the forum to start a new thread.