My Windows 7 machine became infected with a Powershell virus/malware unless I am mistaken. Running processes showed about 8 or 9 dllhost.exe *32 Com Surrogate processes running at once. CPU resources were almost at 100 percent and the hardrive fan were running very loud. Also, continuous IE activity was showing each time I deleted files even though I was not using the internet. Also, multiple intrusion attempts were then being blocked due to my machine being a slave to the malicious sites it was seeking out on its own unless I am mistaken. It also appeared that the IE security settings were automatically changed.
I read the other thread from a subscriber who posted wtih a similar problem. I do not believe this to be a PUA installed with other software. This seems to be a much more serious issue. This malware is taking control of IE and searching out malicious sites were intrusions followed. This is just my opinion though, as I am not an expert.
I did a lot of research on the net regarding others who have had this problem. It seemed that the virus was isolated to the user profile I was using. No mattter how many scans I did, my machine always came back clean. I created new profiles and ultimately deleted the infected profiles. It appears that the malicious activity does not exist on the new profiles. I used backup data and restored it to the new profiles. I'm hoping this solution is permanent, but I will be watching in case anything malicious wakes.
My quesiton is why was this malware not detected? I'm not sure if it is a variant of a Powershell or other signature. I know that it is mimicking a windows file that is necessary, but isn't there a way for this to be detected somehow? Even if there is not a signature to recognize this, I was hoping that the behavior of this malware would be deteced with the 0 day functionality.
I've never seen anything like this before and my goal is to protect against this type of thing in the future. Any thoughts, advice, or perspectives would be appreciated.
dllhost.exe / Com Surrogate malware not detected
If that happens again, right-click the Webroot icon in your toolbar. Click "Control Active Processes". Look through the list of running programs up and check to see if any are in the "Monitored" state. These will be programs that Webroot is monitoring to see how it behaves, and if it is determined to be malware, will automatically remove the process and rollback any changes it has made to your computer.
If you want Webroot to check your computer to be sure that it is clean, or if it happens again and you want them to see what may be affecting it, click HERE to open a support ticket. It is free for all current Webroot users.
If you want Webroot to check your computer to be sure that it is clean, or if it happens again and you want them to see what may be affecting it, click HERE to open a support ticket. It is free for all current Webroot users.
This is the most unique piece of malware I have ever seen and everybody is being hit by it. Just search for Poweliks in google.
Couple of points:
1) Its registry malware and thus has no actual file
2) The malware is located in the HKCU registry hive which is the current users registry hive (hence why when you logged into other profiles it was clean
3) IE settings being changed is a recent change in the newer versions
4) Its not a powershell infection (although it uses it)
5) We dont use signatures
6) Its not dropped via PUA
7) It doesnt mimic any windows files (although it uses legimate windows processes)
😎 None of the versions have done anything to control IE.
We have released a newer build of WSA to combat this, the easiest way to get this is to block the original downloader.
Couple of points:
1) Its registry malware and thus has no actual file
2) The malware is located in the HKCU registry hive which is the current users registry hive (hence why when you logged into other profiles it was clean
3) IE settings being changed is a recent change in the newer versions
4) Its not a powershell infection (although it uses it)
5) We dont use signatures
6) Its not dropped via PUA
7) It doesnt mimic any windows files (although it uses legimate windows processes)
😎 None of the versions have done anything to control IE.
We have released a newer build of WSA to combat this, the easiest way to get this is to block the original downloader.
Thanks @ , While I know malware commonly uses this file name, I have more than noticed a much higher than normal nunber of posts mentioning this file name.
Thank you for the info and update on it! It is good to know Webroot is on top of it 🙂
Thank you for the info and update on it! It is good to know Webroot is on top of it 🙂
+13I would like to add that in no way,shape,or form,should any user attempt removal of this threat themselves.Please rely on the professionals like Webroot support.Most tools and plans of combating this threat listed on the net are faulty at best.Identifying the proper variant is HUGE.They do not all behave the same exact way,which is why relying on professionals is the best thing you can do.Best of all:Webroot support is 100% free.Can't ask for better than that.It's been a long time since i have seen news of a threat flood pretty much every security forum imaginable.
WSA 9.0.29.62,Macrium Reflect Paid, Diskeeper 18,AMD Ryzen 7 3700X - 32GB 3000mhz Memory - AMD Radeon RX 5700 XT - 2TB HDD + 1 TB Samsung M.2 970 EVO SSD
Triple Kudo superssjdan's reply above. 100% on the point and correct.
Support is FREE, and it is the 100% best solution available.
Support is FREE, and it is the 100% best solution available.
I appreciate the many points addressing my observations. I'm sorry that others appear to have suffered this same security threat based on what i see from the other replies.
I definitely should have contacted Webroot. My default protocol has always been to fix myself as I have some background doing this, but it does not compare to the value in utilizing the support provided to me. This problem seemed so unique to me compared to my previous experience.
Once again, thanks for all who provided their feedback. I assume my Webroot updates automatically, but if I need to do something specific for the newer version, please do let me know.
I definitely should have contacted Webroot. My default protocol has always been to fix myself as I have some background doing this, but it does not compare to the value in utilizing the support provided to me. This problem seemed so unique to me compared to my previous experience.
Once again, thanks for all who provided their feedback. I assume my Webroot updates automatically, but if I need to do something specific for the newer version, please do let me know.
No doubt, the Webroot support personnel are the best in the business!@ wrote:
I appreciate the many points addressing my observations. I'm sorry that others appear to have suffered this same security threat based on what i see from the other replies.
I definitely should have contacted Webroot. My default protocol has always been to fix myself as I have some background doing this, but it does not compare to the value in utilizing the support provided to me. This problem seemed so unique to me compared to my previous experience.
Once again, thanks for all who provided their feedback. I assume my Webroot updates automatically, but if I need to do something specific for the newer version, please do let me know.
As far as the update, you are correct that it updates automatically. Just hover your pointer over the Webroot icon in your toolbar and you will see your current version. If you want to check out the latest version and see what changes were made to it, take a look at the Change Log section. Lots of information about the software.
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.