Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe poweliks infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 kevindd992002

kevindd992002

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 06 November 2014 - 12:55 PM

I was infected by poweliks and combofix fixed the problems. These were the deletions based on the logs:

 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
CLSID={AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} - infected with Poweliks and removed.
You should verify if current CLSID data is correct:
.
HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
    (Default)    REG_SZ    Thumbnail Cache Class Factory for Out of Proc Server
    AppID    REG_SZ    {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
.
HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32
    (Default)    REG_SZ    c:\windows\system32\thumbcache.dll
    ThreadingModel    REG_SZ    Apartment
.
HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32
.
HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\
.
(((((((((((((((((((((((((   Files Created from 2014-10-06 to 2014-11-06  )))))))))))))))))))))))))))))))

 

What I want to know is what it really did in the background? What registry keys did it modify? I'm not sure if I understand the logs correctly.



BC AdBot (Login to Remove)

 


#2 kevindd992002

kevindd992002
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 07 November 2014 - 11:09 AM

BUMP!



#3 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:37 AM

Posted 08 November 2014 - 11:50 AM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1
logo.png
Please download Powelikscleaner (by ESET) and save it to your Desktop.
  • Double-click the 3.png to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
  • The tool will produce a log in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
1.png
2.png

Step 2

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#4 kevindd992002

kevindd992002
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 08 November 2014 - 05:38 PM

Thanks deeprybka but I'm not really looking for help in removing the dllhost.exe infection as it is already gone from my system. What i'm asking is what did combofix.exe really do based on the logs? The next time I get infected I want to be able to do it manually without doing any scans. So what did combofix delete in the registry specifically?



#5 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:37 AM

Posted 08 November 2014 - 05:56 PM

So what did combofix delete in the registry specifically?

"HKU\S-....\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" 
"HKU\S-....\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}

Interesting reading about Poweliks removal (great work by aharonov, picasso and B-boy/StyLe): http://www.bleepingcomputer.com/forums/t/540481/30-dllhostexe-32-running-in-task-manager/

 


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#6 kevindd992002

kevindd992002
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 08 November 2014 - 06:02 PM

 

So what did combofix delete in the registry specifically?

"HKU\S-....\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" 
"HKU\S-....\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}

Interesting reading about Poweliks removal (great work by aharonov, picasso and B-boy/StyLe): http://www.bleepingcomputer.com/forums/t/540481/30-dllhostexe-32-running-in-task-manager/

 

 

 

Well, those keys are still there when I checked. What's after HKU? And is that supposed to be HKCU? There's no HKU in the registry you know.



#7 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:37 AM

Posted 08 November 2014 - 06:11 PM

I am sorry. I have no time to give a lecture about the registry. :)

 

HKU/S- is the FRST Output for [HKEY_USERS\]


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#8 kevindd992002

kevindd992002
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 08 November 2014 - 06:19 PM

I am sorry. I have no time to give a lecture about the registry. :)

 

HKU/S- is the FRST Output for [HKEY_USERS\]

 

Ok. So usually those registry hives should not be there and I should just delete them?

 

But combofix said it deleted the ones in HKEY_CLASSES_ROOT, right?


Edited by kevindd992002, 08 November 2014 - 06:20 PM.


#9 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:37 AM

Posted 08 November 2014 - 06:53 PM

I am sorry. I have no time to give a lecture about the registry. :)

 

http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/

 

I don't talk with you about combofix. Thanks for your understandig.


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#10 kevindd992002

kevindd992002
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 08 November 2014 - 07:14 PM

 

I am sorry. I have no time to give a lecture about the registry. :)

 

http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/

 

I don't talk with you about combofix. Thanks for your understandig.

 

 

But why? This is a forum where combofix is downloaded. So there's no support from you with that? That thread you sent me is locked.



#11 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:37 AM

Posted 08 November 2014 - 07:28 PM

That thread you sent me is locked.


But you can read the thread?

 

 

ComboFix is an Anti-Malware tool used by advanced malware technicians

specifically trained in its use.

.

Please DO NOT USE COMBOFIX on your own without supervision!!!

 

 

But why?

 

 

I'm not really looking for help in removing the dllhost.exe infection as it is already gone from my system. What i'm asking is what did combofix.exe really do based on the logs? The next time I get infected I want to be able to do it manually without doing any scans. So what did combofix delete in the registry specifically?

 

I have no time for such things. :angry:


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#12 kevindd992002

kevindd992002
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 08 November 2014 - 07:44 PM

 

That thread you sent me is locked.


But you can read the thread?

 

 

ComboFix is an Anti-Malware tool used by advanced malware technicians

specifically trained in its use.

.

Please DO NOT USE COMBOFIX on your own without supervision!!!

 

 

But why?

 

 

I'm not really looking for help in removing the dllhost.exe infection as it is already gone from my system. What i'm asking is what did combofix.exe really do based on the logs? The next time I get infected I want to be able to do it manually without doing any scans. So what did combofix delete in the registry specifically?

 

I have no time for such things. :angry:

 

 

Is it just you or are all moderatos here not helping with these kind of stuff. I just want to know what combofix is doing in the background.



#13 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:37 AM

Posted 08 November 2014 - 07:58 PM

 I just want to know what combofix is doing in the background.

 

 

Feel free to ask the moderators.


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users