Jump to content

Help/Guidelines for removing Dllhost.exe virus


Recommended Posts

hello,

 

I have Read where many fellow travelers have picked up the

dreaded Dllhost.exe,  self-replicating virus, I have acquired it as well.

 

There are many different posts / recommendations for resolving this,

 

Can someone please provide the Step by Step instructions for

for an inexperienced uses running windows 7 64bit

 

Neither malwarebytes or MS Security Essentials are capable of

recognizing, finding, quaranteening this Hidden Virus.

 

I have read where ComboFix should Only be used with the

guidance of experienced Tech Advisors so I am reluctant to

further complicate my situation.

 

Thank you in advance for your assistance.

 

Turtlecreek

Link to post
Share on other sites

Minion%20Welcome.jpg

My name's Naathim and I'm a GeekU Minion! Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat :)

Before we start please note the following:

  • Analysis and research take some time, also sometimes real life gets in the way, please be patient.
  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Paste the logs in your posts, attachments make my work harder and more complicated.
  • Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.

I can't foresee everything, so if anything unexpected happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

Let's start and enjoy the fight! :)

warning.gif Rules and policies

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.


Post me the full MBAM report please. And do dot run ComboFix unless requested.

FRST.gif Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

There will be two versions to download: 32-bit and 64-bit. Please download the one that is designed for your system. If you don't know which one should it be, download both of them and try each other out. Only one will run - this is the right one. Please leave it and delete the other.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    > XP users click run after receipt of Windows Security Warning - Open File.

    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.

  • When the tool opens click Yes to disclaimer.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

Link to post
Share on other sites

hi Naathim,

 

thanks for your offer to help !

 

I tried to download the Farbar Recovery Scan Tool,

 

I got a pop up saying my current security settings Do Not Allow this file to be Downloaded,

 

can you advise what setting I need to change to allow this download ? I already changed permissions to Medium

Do I Need to Disable ?

 

Thank you, 

Link to post
Share on other sites

hi Naathim,

 

thanks for your suggestion above, was able to successfully run Farbar

am having difficulty copying and pasting (2) results here,

 

Files are 36 pages long when saved in word document,

 

is there some other format I can use for posting here,

 

Really sorry about trying your patience with these routine matters,

 

thanks

 

Turtlecreek

Link to post
Share on other sites

Yup, Poweliks here too.



51a5bf3d99e8a-ComboFixlogo16.png Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!


Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.

  • Right-click on 51a5bf3d99e8a-ComboFixlogo16.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the disclaimer and agree if prompted to install Recovery Console.
  • Do not take any actions while ComboFix goes through your System - it may cause it to stall!
  • This scan may take some time!
  • When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
icon_idea.gif If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
icon_idea.gif Don't forget to re-enable your previously switched-off protection software!

Link to post
Share on other sites

Naathim

 

followed your instructions and downloaded ComboFix

 

attached are combofix text logs.

 

You have been incredible ! 

 

Greatly appreciate your excellent assistance and patience.

 

After you have reviewed the log report would you please advise

 

if I should remove the downloaded programs that we used to eliminate this beast ?

 

Thanks,

 

Turtlecreek

ComboFix.txt

Link to post
Share on other sites

We are not done here, there are some more things tobe verified.




FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

Link to post
Share on other sites

Poweliks is gone, now any remnants...



51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Install the progam and select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.



ESETOnline.png Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:

  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.

To perform the scan:

  • Make sure that Enable detecion of potentially unwanted applications is checked.
  • In the Advanced Settings dropdown menu:
    • Make sure that Remove found threats is unchecked.
    • Scan archives is checked.
    • Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
    • Use custom proxy settings is unchecked.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.
Don't forget to re-enable previously switched-off protection software!

 

 

51c9d14017fa0-SecurityCheck.PNG Scan with Security Check

Please download Security Check by Screen317 and save it to your desktop.

  • Right-click on 51c9d14017fa0-SecurityCheck.PNG icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow onscreen instructions inside the black box. This scan won't take long.
  • Soon a notepad document called checkup.txt will open automaticaly.

Please include the content of that document.

Link to post
Share on other sites

Naathim,

 

attached is the latest Malwarebytes  Scan Log report,

 

I will Run the other programs ESET Online Scanner

 

&  Security Check  later this evening and send text reports

 

when they are complete.

 

It is getting late in Europe so we will probably talk tomorrow.

 

thanks for being so helpful,

 

Turtlecreek

Malwarebytes log.txt

Link to post
Share on other sites

hi Naathim,

 

morning or good day to you,

 

I was NOT  Able to run ESET Online Scanner, went to the download link,

(had my Anti-Virus was disabled in advance)

 

accepted the Terms, hit Download Now

 

and an error message popped up in a new window,

 

' An Add On for Website Failed to Run '

 

I exited and tried again, same message appeared, Do You have any suggestions ?

 

Attached below are logs from Security Check

 

and Log from Malwarebytes, I re-ran it with Rootkits enabled, as you instructed.

 

I'll wait to hear from you about a possible work around for the ESET Scanner .

 

Thanks for all your help, 

 

 

Turtlecreek

 

checkup.txt

Malwarebytes log report.txt

Link to post
Share on other sites

OK, we will use another scanner.



grayhitmanpro_16px.png Scan with HitmanPro

In any case don't remove on your own anything that Hitman Pro detects!
This scanner, as it is a really good for checking, has been known for deleting files instead od curing them, which in some cases may render the machine unbootable. Any removals will be done manually after careful analysis of the scan results!


Please download HitmanPro by SurfRight and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on grayhitmanpro_16px.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • If the program won't run please run it while holding down the left CTRL key until it's loaded!
  • Click on the Next button. You must agree with the terms of EULA (if asked).
  • Check the box beside No, I only want to perform a one-time scan to check this computer.
  • Click on the Next button.
  • The program will start to scan the computer. It would only take several minutes.
  • When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore.
    • If there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro!
      Navigate to C:\ProgramData\HitmanPro\Logs, open the report and include it it your next reply.
  • Click on the Next button.
  • Click on the Save Log button.
  • Save that file to your desktop.

Please include that logfile in your next reply.
Don't forget to re-enable your previously switched-off protection software!

Link to post
Share on other sites

I'm glad to hear that.

(wow Big Powerful program, super Fast)

Just please bare in mind what I told prior:

In any case don't remove on your own anything that Hitman Pro detects!

This scanner, as it is a really good for checking, has been known for deleting files instead od curing them, which in some cases may render the machine unbootable. Any removals will be done manually after careful analysis of the scan results!

Now back to our duty...

updates.png Update outdated software

Staying always updated is crucial, not only for your operating system, but also for any third-party installed software.

Your logs clearly indicate that some of your software needs updating.

javacup.png Updating Java manually

  • Click the Start button
  • Click Control Panel
  • Double click Java - Looks like a coffee cup. You may have to switch to Classical View to see it.
  • Click the Update tab
  • Click Update Now
  • Allow any updates to be downloaded and installed.
  • If prompted (during the installation) to also install ASK toolbar, leave this unchecked - Ask does not have a good reputation.
  • From Control panel also please remove any older versions of Java - do not leave them installed!.
Remember to keep it always updated.

51a5ce45263de-delfix.png Clean with DelFix

Please download DelFix by Xplode and save it to your desktop.

  • Right-click on 51a5ce45263de-delfix.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Ensure that Remove disinfection tools, Purge system restore and Reset system settings are checked.
  • Push Run.
  • When finished, it will display a notepad report.
Include it for my review.

Please also manually reboot your machine after posting your logfile.

Link to post
Share on other sites

hi Naathim,

 

I saw that Java notice from one of the scans as well, Java out of date,

 

up-date Now.  This is weird because this is about the time that this entire

 

business with the dllhost virus started, I was recently prompted to up-date Java

(with-in the past week)

 

I proceeded to up-date and all went well, and per the Java / oracle launch page

I followed prompts to remove previously installed copies.

 

So when I saw the log report indicating Java Needs to be Up-dated I was puzzled,

 

I have just tried to up-date Java per your instructions, when I hit up-date

it indicates that I have latest version installed.

 

I also went to Windows Control panel Add/Delete program files and there is ONLY (1)

Java program installed.Platform version 1.7,   Product 1.7.0_71

 

So I am Not sure why various scans we have performed are indicating that this Needs Up-dating.

 

I'll wait to hear from you before Running DelFix program by Xplode.

 

thanks,

 

Turtlecreek

Link to post
Share on other sites

I'd like you to post the DelFix report please :)


 

Below you will find my thoughts about securing your machine. Go ahead through it, you will benefit from some useful advice about safe computing.
 

Recommended reading:

icon_exclaim.gif MUST READ - security tips: Computer Security - a short guide to staying safer online.
icon_exclaim.gif MUST READ - general maintenance: What to do if your Computer is running slowly?



Recommended additional software:

icon_arrow.gif TFC - to clean unneeded temporary files.
icon_arrow.gif Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.
icon_arrow.gif Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
icon_arrow.gif McShield - to prevent infections spread by removable media.
icon_arrow.gif CryptoPrevent - to secure yourself from very severe CryptoLocker infection.
icon_arrow.gif Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

My help is always free, but if you are happy with the help provided and wish to help my fight against malware, please consider making a donation.
All donations are to refund a new HDD to replace the old one, which recently passed away!
  btn_donate_SM.gif

Now if you have any other questions, feel free to ask me. Otherwise simply acknowledge my recommendations and this topic will be closed.



Minion-Bye-smaller.jpg

Stay safe,
Naat :)

Link to post
Share on other sites

hi Naat,

 

just had a Look at my Downloaded files,

 

Hitman Pro executable program is still there (10,993 kb)

 

Is there a way to cleanly Remove/Uninstall this program ?

 

you advised earlier this is both a powerful & dangerous program in inexperienced hands 

 

probably a Good Idea to remove it ?

 

Please Advise

 

thanks

Link to post
Share on other sites

HitmanPro is only an on-demand scanner, so unless you'll instruct him to, it won't do anything. It's totally up to you whether you will leave it or remove it. Just remember to ask an expert prior to any removal in case you'd like to save it :)

 

Delete the executable if you wish so.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.