Not sure about infection: Poweliks or conhost miner

[Silas Charleaux]

Not sure if infected by Poweliks, COM Surrogate or conhost miner.

I have disk encryption(bitlocker). I have Kaspersky TS 2017 running, still no detection and no flags or warnings.

Also thinking about giving up on it. How does the antivirus does not warn or notice this ridiculous activity that anyone with ctrl+alt+del can spot?

Also after checking process explorer makes, it even more evident. Several different processes injecting one single instance into svchost, conhost and cmd and targeting Chrome with scripts. If I ownership, inherit and delete. It is just swapped by other processes behaving in a exactly same fashion doing the exactly same thing. Note, I did not delete conhost, svchost or cmd, I know they are indispensable. But the injections only increase response until I finish a critical process which prompts a restart. It is tiresome.

It is very subtle, because it is mostly 1 or 2 processes(system32, system32\wbem or syswow64\wbem). The injection does not multiply. Only gets swapped when finished. I notice when it started, because my fan tells me. It affects If I'm gaming, idle or running several tabs on Chrome, which already hogs up a lot of memory.

Anyway, FRST logs are uploaded, I kindly appreciate any help in advance. Also I apologize if there is no infection. It is just weird to see Windows being so persistent in hogging up my memory and launching instances of applications while I'm idle.

 

[Silas Charleaux]

BTW, I manually edited the hosts file to prevent Kaspersky from connecting to hosts and injecting java into Chrome.

 

[Silas Charleaux]

Also I have run sfc /scannow to repair my audiodg file and restore sounds.

 

[TwinHeadedEagle]

Your computer seems clean.

 

[Silas Charleaux]

Is it normal to have svchost.exe being injected by dllhost.exe, unsecapp.exe, rundll32, WmiPrvSE, while other instances of svchost (they are multiple in any Windows installation) being randomly injected by dwm.exe, ctfmon.exe if any of the prior get process tree terminated or suspended? If I successfully end process all trees by being persistent svchost behaves normal, no injections. Until I open chrome or disconnect/connect to web.

I know these are all windows apps, but so does Powershell.

Just so you get an idea:
Poweliks and conhost minor? Both?

Whenever I close the prior, the later get in action and restore the prior to the original state. Also I've read about Poweliks:
Trojan.Poweliks Removal - Removing Help | Symantec

Exactly as it was told in the page above, I had the localserver registry keys placed, as well as Powershell installed (I never installed it) in System32 with took me several permission, inheritance overrides, including learning to use powershell scripts to remove its installation, since permission there was absolute impossible to manually retrieve and software was not listed into Windows Updates for removal.

I don't want to bother you, I just can't fathom that this could be Windows normal behaviour.

 

[Silas Charleaux]

Can we or, if you prefer, give me directions or a follow-up tutorial of tools to run to obtain a second opinion? I'm truly confident on your skills, being who you are. I mean, the usual tools you would use to do a more detailed scan and removal of possible malware. I really dont think Kaspersky is able to handle this one.

 

[Silas Charleaux]

Maybe I'm not having bigger symptoms because I'm using several chrome extensions to block adware, as well as Kaspersky adblocker software.

 

[TwinHeadedEagle]

Yes, svchost as its name says is service host, that is running multiple services at once. You can have a lot of them.

 

[Silas Charleaux]

Yes, svchost as its name says is service host, that is running multiple services at once. You can have a lot of them.

Look, I really don't understand your lack of willingness to run the usual tools with me. But I understand that as personal choice you can just chose to not do it. It is voluntary work. But If I can't count with our help, where else should I go?

I have all the weird and protected registry keys related to the infections I mentioned. I have all the 5-1-21 administrator accounts permissions set in several important files and dlls. I have some BSODs happening whenever I try to run aswMBR. Zoek doesn't start, RogueKillerCMD too. RogueKiller found up to 7 PUP. Several other scans crash and BSOD when I scan.

You think that is really normal. By the time we are talking my machine is going to trash already since I do not have someone who know these tools and could give me a hand. Thank you anyway.

 

[TwinHeadedEagle]

I usually don't like providing help to people who start messing with their system and things they don't know why they are there and what they serve for. I always check the logs for signs of malware, nobody has ever been denied to get their logs checked.

Why I do like that. Because such people probably messed their system beyond repair and it is only a waste of time. Especially if they start googling about some file or process and try to delete system file or folder.

You can open your topic here for further help:

Off Topic

 

[Silas Charleaux]

Why? I really not trying to start an off-topic conversation. I'm just trying to get rid of an infection. I already asked for your help twice and you twice rejected under personal reasons I state and completely understand. There is no need for further asinine behaviour from both of us. Thanks a lot.