is my laptop infected with something?

[diken]

hello, earlier my dllhost.exe was using all my memory. I thought it was suspicious, so I tried to install and run Malawarebytes when my screen went black. I did a manual/forced restart into safe mode with networking. I ran Malawarebytes and it found 3 PUP files, which I removed and restated like normal. Everything seems to be back to normal, but RAM usage is at 59% running Chrome, when usually it's at about 40-42%

 

any insight, help would be great! Thank you 

also, CPU usage spikes 30-50% when I open Chrome...

dds.txt

attach.txt

[Maurice Naggar]

Hello Diken and welcome to Malwarebytes forum.

My name is Maurice Naggar. I will be helping you.

Temporarily turn off youe ESET antivirus.

1. Download Malwarebytes Anti-Rootkit from http://www.malwarebytes.org/products/mbar/

2. Unzip the contents to a folder in a convenient location.

3. Open the folder where the contents were unzipped and run mbar.exe

IF your Windows is Windows 8 or 7 or Vista, do a RIGHT-Click on mbar.exe and select Run As Administrator and allow to run.

If your Windows is XP, double-click to start.

4. Follow the instructions in the wizard to update and allow the program to scan your computer for threats.

5. Click on the Cleanup button to remove any threats and reboot if prompted to do so.

6. Wait while the system shuts down and the cleanup process is performed.

7. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

After this is completed, turn back on your ESET a-v.

[diken]

hi, thank you for the welcome + help! :-D 

 

I did exactly as you've said, and it didn't find anything. Should I do anything else? 

[Maurice Naggar]

• Download & SAVE to your Desktop Tigzy's RogueKiller >> from here << or

  >> from here <<

• Quit all programs that you may have started.
• Please disconnect any USB or external storage drives from the computer before you run this scan!
• For Vista or Windows 7 / 8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

  For Windows XP, double-click to start.

• When prompted to accept the EULA, please do so.
• Wait until Prescan has finished ...
• Then Click on Scan button at upper right of screen.
• Wait until the Status box shows "Scan Finished"
• Click on Report and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
• Do NOT press any Fix button.
• Exit/Close RogueKiller

[diken]

here you go!

 

RogueKiller V8.6.2 _x64_ [Jul  2 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Blog : http://tigzyrk.blogspot.com/

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : User [Admin rights]

Mode : Scan -- Date : 07/05/2013 07:01:48

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 1 ¤¤¤

[sUSP PATH] TouchFreeze.exe -- C:\Users\User\AppData\Local\Programs\TouchFreeze\TouchFreeze.exe [-] -> KILLED [TermProc]

 

¤¤¤ Registry Entries : 10 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : TouchFreeze (C:\Users\User\AppData\Local\Programs\TouchFreeze\TouchFreeze.exe [-]) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-1323457348-3409936792-940866104-1000\[...]\Run : TouchFreeze (C:\Users\User\AppData\Local\Programs\TouchFreeze\TouchFreeze.exe [-]) -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\[...]\RunOnce :  (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes' Anti-Malware (portable)\cleanup.dll",ProcessCleanupScript "C:\ProgramData\Malwarebytes' Anti-Malware (portable)" [x][7][x][-]) -> FOUND

[HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: SAMSUNG MZMPC032HBCD-000L1 ATA Device +++++

--- User ---

[MBR] 4d71ca5316c226915ac50db9b6f5998c

[bSP] f3c5b06b7bd6cd1c27831cf76c704721 : Empty MBR Code

Partition table:

User = LL1 ... OK!

User = LL2 ... OK!

 

+++++ PhysicalDrive1: SAMSUNG MZMPC032HBCD-000L1 ATA Device +++++

--- User ---

[MBR] 4d3c1472209f917ef1cd7e48513532f6

[bSP] a8a7eced5ab116142fa4447e91a82583 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[0]_S_07052013_070148.txt >>

 

 

 

 

[diken]

I don't know if this has anything to do with it, but I just connected my Walkman MP3 player to the computer and transferred some files (I did the same thing last night) and now the dllhost is going crazy again. CPU usage is at 26-30% and RAM is at 90+%... What the heck is going on? This has never happened before.

My laptop is so slow I'm posting from my iPad.

[diken]

here the log reports are again, after running DDS and RK again on the slowed down computer. 

RKreport0_S_07052013_085032.txt

Attach2.txt

DDS2.txt

[diken]

someone on another forum said it could be that the Walkman's flash memory is failing or maybe, it's infected? Could that be a possibility?

[Maurice Naggar]

If you are getting help on another venue on this same problem, please stop.

What does the Walkman have to do with the Windows computer?

Do not attach any flash-memory cards that you suspect are infected.

[diken]

sorry, you weren't replying with anything and I was getting antsy.

 

anyway, I noticed the problem seemed to occur after transferring some video files to my Walkman, last night. And then it happened again this morning when I did the same thing. 

[diken]

ram usage is not at 60% with 2 Chrome tabs open. That's 10% more than usual, I think. 

[diken]

i mean NOW (not 'not'), sorry! 

[diken]

i ran Malwarebytes again, this time instead of quick scan I did full scan. It found:

 

HackTool.Wpakill

PUP.Hacktool.Patcher

 

should I remove them? 

[Maurice Naggar]

# 1, put away the flash-drive (that you mentioned before) and do not use it on anything.

# 2, Yes, have MBAM either Quarantine or remove the hacktool that it tagged. And anything else it tags.

Have plenty of patience and do not be in a hurry, please. We all get busy, and I have & am been helping manu others.

# 3, understand that malware cleaning or finding malware takes many tools. None instantaneous.

# 4

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

To show all files:

• Press Windows-key +R key on your keyboard to get RUN option.
• Type in

  explorer.exe

  and press Enter to start Windows Explorer.
• From the menu options, Select Tools, then Folder Options.
• Next click the View tab.
• Locate and uncheck Hide file extensions for known file types.
• Locate and uncheck Hide protected operating system files (Recommended).
• Locate and click Show hidden files and folders and drives.
• Click Apply > OK.

Step 3

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
• Double-Click on TDSSKiller.exe to run the application, then on Start Scan.

  If running Vista or Windows 7, do a RIGHT-Click and select Run as Administrator to start TDSSKILLER.exe.

• If an infected file is detected, the default action will be Cure, click on Continue.

  

• If a suspicious file is detected, the default action will be Skip, click on Continue.
• If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

  Skip and click on Continue

• It may ask you to reboot the computer to complete the process. Click on Reboot Now.

  

• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 4

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member Diken only. If you are a casual viewer, do NOT try this on your system!

If you are not Diken and have a similar problem, do NOT post here; start your own topic

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".

• A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.

  When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.

Notes:

[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh

Reply & Copy & Paste contents of the C:\Combofix.txt log

and tell me, How is the system now

Step 5

• Please download CKScanner from >>Here<<
• Important: - Save it to your desktop.
• Right-click CKScanner.exe & select Run as administrator to start.
• then click Search For Files.
• After a very short time, when the cursor hourglass disappears, click Save List To File.
• A message box will verify the file saved. Please Run the program only once.
• Copy/paste the contents of CKFiles.txt in your next reply.

RE-Enable your antivirus program.

Then copy/paste the following into your post (in order):

• the contents of TDSSKILLER log;
• the contents of C:\Combofix.txt log;

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

[diken]

thank you for everything, man! After scouring the Internet all day I figured out the problem - it wasn't any Malware, or enen anything on MY part, but a faulty Microsoft update.  It was something to do with Update KB2670838 and IE10. All I had to do was uninstall Update KB2670838, and now everything is running like butter.

 

there's more on it here:

 

http://answers.microsoft.com/en-us/windows/forum/windows_7-files/why-does-dllhostexe-com-surrogate-consumes-memory/bd7e42bb-802d-4eb9-95b2-2bb6b566996d?page=1&tm=1373072649374

 

if anyone else has this dllhost.exe problem! 

 

thank you so much for your time and effort, Maurice! 

[Maurice Naggar]

If all is ok, then I'll now close this thread.

To clean the tools used:

• Download OTC to your desktop and run it
• Click Yes to beginning the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Safer practices & malware prevention

• Have a hardware router between the incoming internet-modem and your computer.
• Use a Standard user account rather than an administrator-rights account when "surfing" the web.
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
• Check in at Windows Update and install any Important Updates offered.
• Make certain that Automatic Updates is enabled.

  How to configure and use Automatic Updates in Windows

  http://support.microsoft.com/kb/306525

• Check on other update issues as well, by getting, installing and using Secunia Personal Software Inspector (OSI) on a monthly basis.

  See How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

• Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)

  Tutorial for Spywareblaster: Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware

• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm

  See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm

  That would help to keep your browser away from known spyware/malware sites.

  Get notified when the MVPS HOSTS file is updated

  http://winhelp2002.mvps.org/updates.htm

• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.

  Having a total image backup of your system stored on DVD/CD is highly important.

  Get and make use of imaging-backup utilities and save them to offline media. That way you have something to fall back to if a disaster hits.

  How to create a Windows system image in Windows 7 and Windows 8

  http://www.bleepingcomputer.com/tutorials/create-system-image-in-windows-7-8/

  How to use System Image Recovery in the Windows 7 and Windows 8 Recovery Environment

  http://www.bleepingcomputer.com/tutorials/system-image-recovery-in-windows-7-8/

• Consider using Web of Trust WOT add-on for your browser(s)

  http://www.mywot.com/en/download

  http://www.mywot.com/en/faq/add-on

• Take extreme care if you share USB-flash/thumb drives from other people {even from friends, roommates, relatives}

  Don't plug in an unknown flash/thumb drive into your PC.

  IF you must do so, hold down the SHIFT-key when you insert the drive.

  Scan any file with your Antivirus prior to opening or using.

  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:

  ESET Online Scanner

  BitDefender Quickscan

  Trend Micro Housecall

  F-Secure Online Scanner

Microsoft Safety Scanner

Panda ActiveScan

• See Six tips to help you stay safer online
• Never, ever download free games, free tools, videos, mutli-media files or anything free unless you can be absolutely sure the source is safe !
• We are finished here. Best regards.