Seen it? Poweliks registry malware / many dllhost.exe com surrogate

I'm going to pick up another Poweliks laden laptop right now. At least that is what I think after the client asked me about a Powershell pop up and a slooow system.

The knowledge that's freely shared here is great for us little independents.

Thanks, Bryce and all you posters.
 
Thanks for the thread guys! Just got a couple of these in. Been fighting one since friday, couldn't find the stinkin infection! Read this thread, ran eset tool, had it, killed it, now just a bit of fallout clean-up and were good!

Thanks again!
 
I'm working on yet another Poweliks infection. Eset killed it in seconds.

Now all I have left is the other crap that got installed and an issue preventing downloads files from any browser.
 
I vouch for the Norton tool. Used it on two computers as my first line of attack and it worked like a charm.
 
It's this kind of malware that gets me concerned for the pizza techs out there that only know how to run scans, and wouldn't think twice if all of their scans came up clean. Had three customers the other week with this virus, seemed to be dropped by Yakes. Customers opened no payload. One of the machines had the Cryptowall 2.0. One of the machines, I had to kill the processes, and then manually remove the registry keys. Not a single scan detected it.

I will be training my techs to recognize this type of stuff. Mainly by teaching them to understand how Windows works, and what's normal and not normal. The hard part is it uses a legitimate process, dllhost.exe. Who's going to think twice about that? It could fool anyone. Aside from the high CPU usage. Even then, there were times on one of the infected machines, the CPU would go back to normal, and then an hour later, the virus would kick back on again.
 
Last edited:
MikeLierman said:
... The hard part is it uses a legitimate process, dllhost.exe. Who's going to think twice about that? It could fool anyone.
Click to expand...
Yeah but not 7 or 8 dllhost processes running all at once soaking up all the CPU. That is abnormal and any "good" tech should spot that. Plus any good tech worth his salt will have Malwarebytes trial version (or even Premium if he's a good salesman) and it will be blocking things like "fff5ee dot com" (do not go to this web site!) like crazy. 99% of the "good " techs won't miss either of those two clues.

.
 
Last edited:
Wheelie said:
Yeah but not 7 or 8 dllhost processes running all at once soaking up all the CPU. That is abnormal and any "good" tech should spot that. Plus any good tech worth his salt will have Malwarebytes trial version (or even Premium if he's a good salesman) and it will be blocking things like "fff5ee.com" like crazy. 99% of the "good " techs won't miss either of those two clues.

.
Click to expand...

True. But we're talking "good techs." The ones that give a **** about their customers. Sadly, not many of those around here. Just had a customer come in today, after he called one of my competitors. After he pressed my competitor about how the clean up was done, the guy finally spilled the beans and admitted that their virus removals are just a hard drive pull and offline malwarebytes scan, and then back to the customer. That's how he advertises 4 hour turn around time for virus removals. Yikes!
 
You must log in or register to reply here.
Back
Top