Jump to content

Recommended Posts

I run a computer support business  and of all the malware that I have had to deal with, the worst in my experience is the one that deals with "dllhost.exe,  None of the well known companies that make security software (Anti-virus, Anti-Malware) other than Symantec have even given it a name, and none of them either detect or remove it successfully. Apparently it is a Fileless, Memory injecting DLL. If that does not mean anything to you, you are not alone, but it may explains why it is so difficult to detect and remove.

It is not new, and you can find descriptions of it at least as far back as 2013 or possibly earlier.

Symantec calls it "Poweliks" and even provides a specific removal program, as well as instructions for manual removal, neither of which works at this time (or within the last 2 years that I have had a chance to test it).

Does not work, but you may want to read the information anyway
https://www.symantec.com/security_response/writeup.jsp?docid=2014-080408-5614-99&tabid=3

 

Other programs that also fail to detect and remove this problem are:
AVG, Avast, Malwarebytes, Spybot, Symantec, Eset, McAfee, Kaspersky, MS Security Essentials, Trend Micro, BitDefender, Rogue Killer etc.

 

Symptom is presence of multiple instances of dllhost.exe (viewed in Task Manager Processes Tab)  that usually cannot be removed by endtasking, and very high (close to 100%) CPU usage, which as you would expect slows the computer to a crawl, often making it totally unusable.

At first it does not appear as obtrusive as it becomes later on, so it may take a week or more for it to become more obvious. If you disconnect from the internet and abstain from running any programs, after just booting up, other than your memory resident security programs, CPU usage may remain below 10%, but when you connect to the internet, activity will jump much higher (this is after all of your security updates have already finished). On a healthy computer CPU usage ought to be no higher than 0-3%, with or without internet connection.

The solution, that most support takes (Malwarebytes, is to have a malware removal expert work with you on-line your unique case. This involves running a handful of special programs such as Farbar, Combofix, etc. and requires posting results of scans and systems logs on-line. It may take several days and the instructions are relevant only to the specific computer.  While this is extremely helpful to a given individual, when successful, it is not very efficient compared to the successful removal of less tough malware that many Security Programs accomplish routinely.

All you have to do is do a search for "dllhost.exe malware removal" to find tons of links which suggests that this is a fairly common problem.

We need to have all of the Security Programs able to deal with this problem.

 

The only surefire solution to fully deal with this problem in my experience is to restore a prior clean image backup. This is the only thing that has worked for me in the past.
This require that you make full image backups systematically prior to having any problems.

Please add helpful information.

 


 

Edited by drdancm
grammar, clarity etc.
Link to post
Share on other sites

Poweliks is really a pain in the....
It is weird that you can't remove it with Malwarebytes, because I remember being infected by Poweliks once, and I tried everything to remove it but nothing was working, that's when I learned about Malwarebytes Anti-Malware, and MBAM removed it completely after I ran a scan with 'Search for rootkits' option on. I stick with Malwarebytes since that day.

 

Link to post
Share on other sites

Hello and Welcome!

Yes Poweliks is really a pain to deal with, and there are so many variants of it that it makes it hard to remove.  Using only one tool is really hard to do.

Have read through The complexity of finding, preventing, and cleanup from malware

Most of the computers that I have cleaned with this infection I cleaned them with Malwarebytes (with rootkit scanning enabled).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.