Jump to content

dllhost.exe*32 infection


Recommended Posts

I have essentially the same problem as woodrs; multiple instances of dllhost.exe*32 popping up. I can kill them using the end process tree in task manager (normally on the smallest file size) but they keep returning. Had Microsoft Security Essentials running when this started. It detected Gamarue and Peacc.Gen!A and quarantined them - I removed them. Downloaded and scanned with Avast, it detected some items and quarantined them, also removed. Both programs now show a clean scan, but as soon as I connect the ethernet cable, the dllhost problem kicks in. I removed IE11, then IE9 and then disabled whatever version came next. Using Chrome now. Downloaded Malwarebytes trial and quarantined a few also but did not fix the dllhost problem -  continue to get the MalwareBytes "malicious website blocked" popups for several sites, including FFF5ee. 

 

Have downoaded and run FRST and attached log files as requested. Would appreciate any assistance anyone can provide.

Thanks,

Jim

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello Japple55, welcome to Malwarebytes' Malware Removal forum!

My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. xsmile.png.pagespeed.ic.CwSpBGGvqN.png

General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================

Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
  • Please do not post logs using the CODEQUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
  • Ensure you are following this topic. Click xetYzdbu.png.pagespeed.ic.U7AjmRUewW.png at the top of the page.

======================================================
 
Unfortunately, your computer is badly infected, and I must ensure you are aware of the following. Please read the warning below, let me know what you think and how you wish to proceed. 
 

goGMWSt.gifBACKDOOR WARNING
 
------------------------------

One or more of the identified infections is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal critical system, financial and personal information.

If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, Email, eBay, Paypal, online forums, etc).

Banking and credit card institutions should be notified of the possible security breach immediately. Please read the following article for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Whilst the identified infection(s) can be removed, there is no way to guarantee the trustworthiness of your computer unless you reformat your Hard Drive and reinstall your Operating System. This is due to the nature of the infection, which allows the attacker remote control over the machine. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat/reinstall. Please read the following articles for more information.

You now have the choice between cleaning the infection(s) present or reformatting your computer. Ultimately, this decision is personal, and down to you and what you're most comfortable with. Please let me know how you wish to proceed, and if you have any questions.
Link to post
Share on other sites

Hello Adam, and thanks for responding. Yes, call me Jim. 

I have seen this response on other posts, and am curious as to how you came to that determination so quickly. I'm not saying your incorrect, just that I would like to know a little more about how you arrived at the conclusion. Did you observe something specific in the logs that you can identify? Obviously, a reformat/reinstall is a major endeavor and not one I'm excited about, unless absolutely necessary. 

Thanks,

Jim

Link to post
Share on other sites

Hello Jim, 
 
The logs indicate your computer is infected with a variant of Poweliks.

HKU\S-1-5-21-1751872998-1348909512-1134818193-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!

 
Poweliks to designed to be a downloader (it downloads other malware) and open a backdoor on the compromised machine. The nature of a backdoor is explained in my warning above. 
 

Obviously, a reformat/reinstall is a major endeavor and not one I'm excited about, unless absolutely necessary. 

Your logs indicate your computer has a recovery partition. Using this will restore your computer to a factory image, and is an alternative to a reformat/reinstall that will yield the same result. 
 
It's up to you, and what you're most comfortable with. I can only give you the facts - and those being, your computer has been compromised by malware that allows a remote attacker to make desired modifications, and steal passwords and other sensitive information. I'm not suggesting this has happened, but the possibility is there. Hence why a backdoor warning is issued, and why the choice between cleaning/reformatting is given.

Link to post
Share on other sites

Ok Adam, thank you for the information. I guess I need some time to digest this (with the affected computer offline, of course). I'm just not sure how this machine got infected, so I'm not sure how to prevent it in the future. I have another machine sitting right next to it (same model, OS, etc.) and they both sit behind a Netgear router/firewall. MS Security Essentials didn't catch it and both it, and Avast, are not reporting any infections after multiple scans. MS System File Checker returned nothing. Adwcleaner returned nothing. What would YOU do to try and prevent an infection like this from happening again?

Jim

Link to post
Share on other sites

Jim, 
 

I'm just not sure how this machine got infected

My guess would be all the outdated software on your computer. Outdated Java, Adobe, Apple and Microsoft software are prime targets for malware that exploit vulnerabilities in the software. 
 
You have extremely outdated Java software on your machine. Whilst I can't say for certain, I would imagine the outdated Java is the cause. 
 
On the otherhand, you also have multiple Anti-Virus software (MSE and avast!) installed. This hinders their ability, making each programme more susceptible to letting through malware. However, Anti-Virus software is not particularly effective in dealing with Poweliks, and the two programmes installed probably isn't responsible. As I said, my guess would be a Java exploit from a compromised website/ad. 
 
Poweliks is unique because the infection does not require an executable file to be present on the HDD in order to remain active.  Once the Poweliks dropper is on the system, the file will write the necessary modifications to the Windows Registry, and then delete itself. Poweliks is contained entirely within the registry, making use of Powershell and zombifying dllhost.exe (a legitimate System File). 
 
It's difficult for Anti-Virus companies to acquire, analyse and write signatures for Poweliks because the dropper deletes itself, and no additional files are created. Furthermore, once the payload (the modifications to the registry) has been dropped, Anti-Virus software is ineffective in dealing with the infection. Anti-virus software do not typically monitor the registry, so an infection that resides entirely within the registry will evade detection. 
 

MS System File Checker returned nothing.

SFC is designed to repair System Files. It cannot detect or remove malware.
 

Adwcleaner returned nothing.

AdwCleaner is designed to detect and remove adware and Potentially Unwanted Programmes (PUPs). It does not deal with malware. 
 

What would YOU do to try and prevent an infection like this from happening again?

As part of each malware removal process, I provide information and useful programmes on how to reduce the risk of infection. 
 
I can do so now if you wish, but think it would make more sense if we deal with the infection at hand first (clean or reformat/restore), and discuss how to reduce the risk of infection afterwards. 
 
Please let me know what you think, and how you wish to proceed.

Link to post
Share on other sites

Thanks for letting me know, Jim. 
 
--------------
 
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. YSCcjW7.png
 
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

The following programmes come highly recommended in the security community.

  • xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpg AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
  • E8I37RF.pngCryptoPrevent places policy restrictions on loading points for ransomware (eg.CryptoPrevent), preventing your files from being encrypted.
  • x7D2ig3K.png.pagespeed.ic.x4TC1AK8OX.jpg Emsisoft Antimalware (free) acts as an additional on-demand scanner, and can be used in conjunction with your Anti-Virus. 
  • EG85Vjt.png Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
  • x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpg Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
  • xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology. 
  • 3O8r9Uq.png Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you. 
  • DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secuina PSI will scan your computer for vulnerable software that is outdatedand automatically find the latest update for you.
  • xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • xsHjS79L.png.pagespeed.ic.n4Sk8_GzZn.jpg Unchecky automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs. 
  • xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.png Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website. 

Please let me know if there's anything else I can help you with. 
 
Adam

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.