Not sure about infection: Poweliks or conhost miner

Silas Charleaux

Level 1
Thread author
Verified
Apr 24, 2014
20
Not sure if infected by Poweliks, COM Surrogate or conhost miner.

I have disk encryption(bitlocker). I have Kaspersky TS 2017 running, still no detection and no flags or warnings.

Also thinking about giving up on it. How does the antivirus does not warn or notice this ridiculous activity that anyone with ctrl+alt+del can spot?

Also after checking process explorer makes, it even more evident. Several different processes injecting one single instance into svchost, conhost and cmd and targeting Chrome with scripts. If I ownership, inherit and delete. It is just swapped by other processes behaving in a exactly same fashion doing the exactly same thing. Note, I did not delete conhost, svchost or cmd, I know they are indispensable. But the injections only increase response until I finish a critical process which prompts a restart. It is tiresome.

It is very subtle, because it is mostly 1 or 2 processes(system32, system32\wbem or syswow64\wbem). The injection does not multiply. Only gets swapped when finished. I notice when it started, because my fan tells me. It affects If I'm gaming, idle or running several tabs on Chrome, which already hogs up a lot of memory.

Anyway, FRST logs are uploaded, I kindly appreciate any help in advance. Also I apologize if there is no infection. It is just weird to see Windows being so persistent in hogging up my memory and launching instances of applications while I'm idle.
 

Attachments

  • Addition.txt
    23.7 KB · Views: 1
  • FRST.txt
    20 KB · Views: 2

Silas Charleaux

Level 1
Thread author
Verified
Apr 24, 2014
20
Is it normal to have svchost.exe being injected by dllhost.exe, unsecapp.exe, rundll32, WmiPrvSE, while other instances of svchost (they are multiple in any Windows installation) being randomly injected by dwm.exe, ctfmon.exe if any of the prior get process tree terminated or suspended? If I successfully end process all trees by being persistent svchost behaves normal, no injections. Until I open chrome or disconnect/connect to web.

I know these are all windows apps, but so does Powershell.

Just so you get an idea:
Poweliks and conhost minor? Both?

Whenever I close the prior, the later get in action and restore the prior to the original state. Also I've read about Poweliks:
Trojan.Poweliks Removal - Removing Help | Symantec

Exactly as it was told in the page above, I had the localserver registry keys placed, as well as Powershell installed (I never installed it) in System32 with took me several permission, inheritance overrides, including learning to use powershell scripts to remove its installation, since permission there was absolute impossible to manually retrieve and software was not listed into Windows Updates for removal.

I don't want to bother you, I just can't fathom that this could be Windows normal behaviour.
 

Silas Charleaux

Level 1
Thread author
Verified
Apr 24, 2014
20
Can we or, if you prefer, give me directions or a follow-up tutorial of tools to run to obtain a second opinion? I'm truly confident on your skills, being who you are. I mean, the usual tools you would use to do a more detailed scan and removal of possible malware. I really dont think Kaspersky is able to handle this one.
 

Silas Charleaux

Level 1
Thread author
Verified
Apr 24, 2014
20
Maybe I'm not having bigger symptoms because I'm using several chrome extensions to block adware, as well as Kaspersky adblocker software.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Yes, svchost as its name says is service host, that is running multiple services at once. You can have a lot of them.
 

Silas Charleaux

Level 1
Thread author
Verified
Apr 24, 2014
20
Yes, svchost as its name says is service host, that is running multiple services at once. You can have a lot of them.

Look, I really don't understand your lack of willingness to run the usual tools with me. But I understand that as personal choice you can just chose to not do it. It is voluntary work. But If I can't count with our help, where else should I go?

I have all the weird and protected registry keys related to the infections I mentioned. I have all the 5-1-21 administrator accounts permissions set in several important files and dlls. I have some BSODs happening whenever I try to run aswMBR. Zoek doesn't start, RogueKillerCMD too. RogueKiller found up to 7 PUP. Several other scans crash and BSOD when I scan.

You think that is really normal. By the time we are talking my machine is going to trash already since I do not have someone who know these tools and could give me a hand. Thank you anyway.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
I usually don't like providing help to people who start messing with their system and things they don't know why they are there and what they serve for. I always check the logs for signs of malware, nobody has ever been denied to get their logs checked.

Why I do like that. Because such people probably messed their system beyond repair and it is only a waste of time. Especially if they start googling about some file or process and try to delete system file or folder.

You can open your topic here for further help:

Off Topic
 

Silas Charleaux

Level 1
Thread author
Verified
Apr 24, 2014
20
Why? I really not trying to start an off-topic conversation. I'm just trying to get rid of an infection. I already asked for your help twice and you twice rejected under personal reasons I state and completely understand. There is no need for further asinine behaviour from both of us. Thanks a lot.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top