Friday, September 26, 2014

Rundll Javascript, Dllhost, 100% CPU Usage

If you put the above keywords into a web search recently, you may be infected with poweliks.  To use a technical term it is a booger.  I had cleaned up a customer's laptop, but it was still behaving strangely.  When I opened task manger there were 20+ instances of dllhost.exe and the cpu was pegged at 100%.  I then opened process explorer to have a closer look.  I noticed that shortly after I killed the dllhost processes rundll would call powershell and then the dllhosts would start back up.  I searched in vain for several hours trying to figure out what was going on, some said iconcache.db, others said run CHKDSK.  I even went so far as uninstalling powershell and the infection was able to download the powershell standalone update and prompt me to install it again. Finally I ran FRST and removed a couple of things, one was flagged poweliks.  Usually FRST removes or fixes anything you tell it to but this time it gave an error on the registry key that was flagged.  I did some reading up on poweliks and found that it hides in a registry key with a non-ascii name.  This makes it difficult to remove as the built in registry editor is incapable of reading, deleting, or even viewing such keys.  Luckily there is a tool that removes this infection, roguekiller.  I have used this tool in the past but it had fallen out of my everyday use.  When I ran it, it found the recalcitrant registry key and flagged it as poweliks, unlike FRST it uses some other method the delete registry keys and I was rid of the infection.

If you're in Waco, Tx G&A Computers can help you with all of your computer repair needs. PC, Mac, all computers repaired.

No comments:

Post a Comment