Jump to content

Help removing Poweliks / dllhost.exe infection


Recommended Posts

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 

 

 

 

You told us that you removed several items with Malwarebytes´ Antimalware. This tool creates a log on every run and we need to see them.

  • The logs can be found here:

--
XP
: C:\Documents and Settings\\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd

--
Vista, Windows 7, 2008
: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd

  • Zip any and all of these logs and attach the file to your next reply.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt



Please attach this file to your next reply.

Link to post
Share on other sites

Thanks for the response. Requested log files are attached, here is the content of the ark.txt file

 

GMER 2.1.19357 - http://www.gmer.netRootkit scan 2014-10-07 09:03:46Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST316031 rev.CC45 149.01GBRunning: qktxq7s4.exe; Driver: C:\Users\ACCOUN~1\AppData\Local\Temp\pxrirkow.sys---- System - GMER 2.1 ----SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwAddBootEntry [0x8E140BA6]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwAssignProcessToJobObject [0x8E141684]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwCreateEvent [0x8E14D6F8]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwCreateEventPair [0x8E14D744]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwCreateIoCompletion [0x8E14D8DE]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwCreateMutant [0x8E14D666]SSDT            \SystemRoot\system32\drivers\aswSP.sys   ZwCreateSection [0x8EC49DF0]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwCreateSemaphore [0x8E14D6AE]SSDT            \SystemRoot\system32\drivers\aswSP.sys   ZwCreateThread [0x8EC4A080]SSDT            \SystemRoot\system32\drivers\aswSP.sys   ZwCreateThreadEx [0x8EC4A16A]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwCreateTimer [0x8E14D898]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwDebugActiveProcess [0x8E142472]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwDeleteBootEntry [0x8E140C0C]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwDuplicateObject [0x8E145C68]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwLoadDriver [0x8E1407F8]SSDT            \SystemRoot\system32\drivers\aswSP.sys   ZwMapViewOfSection [0x8EC49ED0]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwModifyBootEntry [0x8E140C72]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwNotifyChangeKey [0x8E14605E]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwNotifyChangeMultipleKeys [0x8E142F5A]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwOpenEvent [0x8E14D722]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwOpenEventPair [0x8E14D766]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwOpenIoCompletion [0x8E14D902]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwOpenMutant [0x8E14D68C]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwOpenProcess [0x8E145560]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwOpenSection [0x8E14D816]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwOpenSemaphore [0x8E14D6D6]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwOpenThread [0x8E14594C]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwOpenTimer [0x8E14D8BC]SSDT            \SystemRoot\system32\drivers\aswSP.sys   ZwProtectVirtualMemory [0x8EC49C6E]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwQueryObject [0x8E142DCE]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwQueueApcThreadEx [0x8E142ADC]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwSetBootEntryOrder [0x8E140CD8]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwSetBootOptions [0x8E140D3E]SSDT            \SystemRoot\system32\drivers\aswSP.sys   ZwSetContextThread [0x8EC49FCC]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwSetSystemInformation [0x8E140892]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwSetSystemPowerState [0x8E140A64]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwShutdownSystem [0x8E1409F2]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwSuspendProcess [0x8E14263C]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwSuspendThread [0x8E14279E]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwSystemDebugControl [0x8E140AEC]SSDT            \SystemRoot\system32\drivers\aswSP.sys   ZwTerminateProcess [0x8EC49D3C]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwTerminateThread [0x8E1422CC]SSDT            \SystemRoot\system32\drivers\aswSnx.sys  ZwVdmControl [0x8E140DA4]SSDT            \SystemRoot\system32\drivers\aswSP.sys   ZwWriteVirtualMemory [0x8EC49BA0]---- Devices - GMER 2.1 ----AttachedDevice  \FileSystem\fastfat \Fat                 fltmgr.sys---- EOF - GMER 2.1 ----

 

malwarebytesLogs.zip

TDSSKiller.3.0.0.40_07.10.2014_09.04.16_log.txt

Link to post
Share on other sites

Multiple Antivirus Programs installed!

I do not recommend that you have more than one anti-virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti-virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either Microsoft Security Essentials or avast! Antivirus.

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 
 
 
Full System Scan with Malwarebytes Antimalware


  • If not existing, please download
Malwarebytes Anti-Malware to your desktop. Double-click the downloaded setup file and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

[*]Click Finish.



If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

fixlist.txt

Link to post
Share on other sites

Thanks for the response.

 

2 AVs isn't normal. Avast was installed to perform a more thorough scan. It has since been uninstalled.

 

I didn't have time to way, so created my own fixlist.txt and ran it. So far the machine has run 2 days straight without the problem resurfacing. 

I see if a few things in the fixlist.txt you provided that weren't in mine, so I will hold onto it and use it if the trojan somehow manages to resurrect itself. 

 

Thanks for your time. 

Link to post
Share on other sites

  • 1 month later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.