Jump to content

dllhost.exe problem, possible powelik. Request assistance


cdhar
 Share

Recommended Posts

Hi,

 

This is Henry. 

 

Wife's PC started having problems on 10/21.  Vipre AV detected Trojan.Win32.Generic!BT a few times and quarantined. 

 

On 10/22 I looked into that and found removal instructions on Malwaretips.com, so followed those, running: TDSSKiller, Rkill, Malwarebytes, Hitman, Emsisoft, ADWcleaner, and JRT as the blog entry instructed (in Safe mode with Networking to get updates).  After everything seemed to get cleaned up, rebooted in normal mode, and Malwarebytes started blocking dllhost attempting to contact fff5ee.com and various IPs.  Apparently one got through undetected by Malwarebytes and Vipre blocked it.

 

Cleaned up again this morning with Malwarebytes scan, then ran FRST.  Transferred logs to this comp (mine - I've got USB Vaccination on) and have attached them below.  I did a quick look through these logs and Addition.txt does mention a possible powelik rootkit.  Sigh.

 

Thanks in advance for any help.

 

- Henry

FRST.txt

Addition.txt

Link to post
Share on other sites

Welcome to the forum.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Please upload this file to VirusTotal for a free scan.

Let me know the results...just copy back the URL.

C:\ae8951d\ae8951d.exe

MrC

 

https://www.virustotal.com/en/file/13b372bda8db5a659362063805e1b27d1f3ca87cbc463a0e9e39f3acf253104b/analysis/

 

Note that I copied the file to a thumb drive and scanned it from my PC because the other PC is still sitting in Safe Mode without networking.  When I copied it, I got a message that the file had attributes which could not be copied.

Link to post
Share on other sites

OK...how is it???

If there's no other problems......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

 Results of screen317's Security Check version 0.99.89  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled!  
ThreatTrack Security VIPRE   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 67  
 Java 6 Update 37  
 Adobe Flash Player 15.0.0.189  
 Adobe Reader 10.1.12 Adobe Reader out of Date!  
 Mozilla Firefox (Firefox,. Firefox out of Date!  
 Google Chrome 37.0.2062.124  
 Google Chrome 38.0.2125.104  
 Google Chrome DECRYPT_INSTRUCTION.HTML..  
 Google Chrome DECRYPT_INSTRUCTION.TXT..  
 Google Chrome INSTALL_TOR.URL..  
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


================================

Please uninstall both of these if possible:
Java 7 Update 67
Java™ 6 Update 37


Then......Download and install the latest version (Java™ 8 Update 25) from Here. Uncheck the box to install the Ask toolbar!!!, McAfee Security Scan Plus or any other free "stuff".

===============================

Adobe Reader 10.1.12 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

==============================


Mozilla Firefox (Firefox,. Firefox out of Date! <----please check for an update if available.

=============================

A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<-------)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter. (it may look like CF is re-installing but it's not)
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

I'm all set now. Thank you very much.

 

Also, an FYI for anyone who reads this...

 

The Java version 8 installers, both 32 and 64 bit, detect old versions and offer to uninstall them.  Do not believe them.  I double checked via CCleaner and found the old Java 7 still present and I had to uninstall it with CCleaner.  The installer did remove the older Java version 6.

 

 

Thanks again MrCharlie

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.