Author Topic: " dllhost.exe" Poweliks Malware - Your worst Nightmare without easy solution  (Read 3117 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
 I run a computer support business  and of all the malware that I have had to deal with, the worst in my experience is the one that deals with "dllhost.exe,  None of the well known companies that make security software (Anti-virus, Anti-Malware) other than Symantec have even given it a name, and none of them either detect or remove it successfully. Apparently it is a Fileless, Memory injecting DLL. If that does not mean anything to you, you are not alone, but it may explains why it is so difficult to detect and remove.

It is not new, and you can find descriptions of it at least as far back as 2013 or possibly earlier.

Symantec calls it "Poweliks" and even provides a specific removal program, as well as instructions for manual removal, neither of which works at this time (or within the last 2 years that I have had a chance to test it).

Does not work, but you may want to read the information anyway
https://www.symantec.com/security_response/writeup.jsp?docid=2014-080408-5614-99&tabid=3

 

Other programs that also fail to detect and remove this problem are:
AVG, Avast, Malwarebytes, Spybot, Symantec, Eset, McAfee, Kaspersky, MS Security Essentials, Trend Micro, BitDefender, Rogue Killer etc.

 

Symptom is presence of multiple instances of dllhost.exe (viewed in Task Manager Processes Tab)  that usually cannot be removed by endtasking, and very high (close to 100%) CPU usage, which as you would expect slows the computer to a crawl, often making it totally unusable.

At first it does not appear as obtrusive as it becomes later on, so it may take a week or more for it to become more obvious. If you disconnect from the internet and abstain from running any programs, after just booting up, other than your memory resident security programs, CPU usage may remain below 10%, but when you connect to the internet, activity will jump much higher (this is after all of your security updates have already finished). On a healthy computer CPU usage ought to be no higher than 0-3%, with or without internet connection.

The solution, that most support takes (Malwarebytes, is to have a malware removal expert work with you on-line your unique case. This involves running a handful of special programs such as Farbar, Combofix, etc. and requires posting results of scans and systems logs on-line. It may take several days and the instructions are relevant only to the specific computer.  While this is extremely helpful to a given individual, when successful, it is not very efficient compared to the successful removal of less tough malware that many Security Programs accomplish routinely.

All you have to do is do a search for "dllhost.exe malware removal" to find tons of links which suggests that this is a fairly common problem.

We need to have all of the Security Programs able to deal with this problem.

 

The only surefire solution to fully deal with this problem in my experience is to restore a prior clean image backup. This is the only thing that has worked for me in the past.
This require that you make full image backups systematically prior to having any problems.

Please add any helpful comment

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
avast also calls it poweliks - JS:Powliks-<versionletter>[Trj] and sure does detect it.

Offline CraigB

  • Avast √úberevangelist
  • Serious Graphoman
  • *****
  • Posts: 11239
  • No support PM's thanks
avast also calls it poweliks - JS:Powliks-<versionletter>[Trj] and sure does detect it.
Pretty much all AV's have detected it since 2014, Malwarebytes as well.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37529
  • Not a avast user
Quote
None of the well known companies that make security software (Anti-virus, Anti-Malware) other than Symantec have even given it a name, and none of them either detect or remove it successfully.
https://www.symantec.com/security_response/writeup.jsp?docid=2014-080408-5614-99&tabid=3

Alias:
Quote
Also Known As:
TROJ_POWELIKS.A [Trend],   Trojan.Poweliks.A [F-Secure],   Trojan.Win32.Powerliks.a [Kaspersky],   Trojan:Win32/Powessere.ATrojan.Win32.Powerliks.a [Microsoft]
Type:Trojan



https://www.virustotal.com/en/file/399511e1b4920047b0ae4b61319a62cad9427fd0db83d25ae37ade61f4548b65/analysis/1486220468/

https://www.virustotal.com/en/file/c6e0caf0ecba5b7d0c35130e3f97ba8c02be5970d9a6687d926802b4aa8391cf/analysis/

https://www.virustotal.com/en/file/2244fe4e712106f389f6dbe2991f764a67219681939480ca2c082f81484d2408/analysis/

and many many more if you search

Also note that new versions of malware come out in huge numbers evry day
Statistic  https://www.av-test.org/en/statistics/malware/



« Last Edit: February 23, 2017, 11:08:32 AM by Pondus »