Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypto/Poweliks Variant Manual Removal Guide


  • This topic is locked This topic is locked
2 replies to this topic

#1 thecomputerplace0

thecomputerplace0

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 January 2015 - 10:19 PM

I've been removing viruses as a profession for about 10 years now.  We do about 10 a day in our shop.  Never had one quite like this and thought we'd share and it'd help out someone else.

 

  • Symptoms
    • dual dllhost.exe and explorer.exe processes eating up 50+% of CPU
    • Reopen immediately upon termination
    • Extremely large Temporary Internet Files & %tmp% folder
  • Attempts
    • Disabled System Restore
    • Safe mode scan with
      • ComboFix
      • Hitman,
      • MBAM
      • MBAR
      • JRT
      • AdwCleaner
      • ESET PoweLiks Cleaner
      • FixPoweliks (Symantec)
      • FRST
      • Rougekiller
      • TDSS Killer
  • Resolution
    • Noted c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4} entry in CombiFix.txt log as a recently created file
      • Confirmed above referenced directory was filled with suspect files
      • Attempted deletion to no avail as files were in use
    • Searched registry for reference of the above (searched specifically ‘D9E629DC’)
      • Search returned one result: CustomCLSID: HKU\S-1-5-21-226362633-2050113004-1670365138-1003_Classes\CLSID\{56CBD3CF-BF99-4DF5-851F-F5B9B57496A1}\InprocServer32 -> C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}\’random file name’
    • Deleted the registry reference
    • Rebooted
    • Deleted directory referenced above however it was not in c:\ProgramData but c:\users\all users
  • Possible Alternative Resolution
    • Scan drive from another PC
    • Delete all %tmp% and referenced locations above


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,611 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:39 PM

Posted 28 January 2015 - 08:18 PM

Thank you for the information.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,611 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:39 PM

Posted 28 January 2015 - 08:18 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users