Jump to content

Malicious Website Blocked - dllhost.exe


Recommended Posts

Good Afternoon,

Seems I have what a lot of other folks have - c:\windows\sysWOW64\dllhost.exe going to various websites and popping up Malwarebites blocking it every few seconds or so.

 

I do have Norton on the computer, which has picked up nothing.

 

I downloaded Farbar already and should have the needed attached files as requested in the "Pinned" message at the top of the Forum. I'll follow the topic and keep from doing anything on the computer until we can get it resolved.

 

If it helps, I do not use any "peer to peer" software - however - I have recently begun looking into some "work from home" opportunities and may have pulled something in via that route(?).

 

Thanks in advance.

Eric

 

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello Eric and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
Step 1
  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Threat Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • fixlog log

fixlist.txt

Link to post
Share on other sites

Hello Borislav,

Thank you for your help. Here are the files you requested. I am noticing that I am no longer receiving those blocked site messages any longer since following your Step 2. I will wait to hear if you say I am all clear. Thanks again!

 

Malwarebytes' Anti-Mayware log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/29/2014
Scan Time: 8:52:45 PM
Logfile: mbam-log-2014-10-29.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.30.01
Rootkit Database: v2014.10.22.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Eric

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 336530
Time Elapsed: 11 min, 33 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

Fixlog log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-10-2014
Ran by Eric at 2014-10-29 21:27:58 Run:1
Running from C:\Users\Eric\Desktop
Loaded Profile: Eric (Available profiles: Eric)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
CustomCLSID: HKU\S-1-5-21-2977940842-803183795-4277161081-1004_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
Task: {285BEE03-D8BC-4ACD-8F9F-F80B2C737FC5} - System32\Tasks\{D402A543-8EFB-0E97-1E76-51A6CAB68ED3} => C:\Users\Eric\AppData\Roaming\ctakwua.dll [2014-10-20] () <==== ATTENTION
Task: {55C6ED93-3852-4400-8908-B9765C9BB973} - \BackgroundContainer Startup Task No Task File <==== ATTENTION
SearchScopes: HKLM-x32 - DefaultScope {A5062A14-C06D-49BA-B7A0-1B57F61FF09C} URL =
SearchScopes: HKLM-x32 - {94bd6970-1a83-41dc-9be5-bf50b3d0238f} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^AZ0^xdm003^YYA^us&si=CMzB6bDo3rgCFcee4AodfT8AYQ&ptb=71CC9CC7-C49C-4794-95A5-365F9A61B69D&ind=2013080209&n=77fd2a91&psa=&st=sb&searchfor={searchTerms}
2014-10-20 16:57 - 2014-10-20 16:57 - 00000000 _____ () C:\Users\Eric\AppData\Roaming\wjiyf.dll
2014-10-20 13:55 - 2014-10-20 13:55 - 00038912 _____ () C:\Users\Eric\AppData\Roaming\ctakwua.dll
2014-10-20 13:55 - 2014-10-20 13:55 - 00004048 _____ () C:\Windows\System32\Tasks\{D402A543-8EFB-0E97-1E76-51A6CAB68ED3}
End
*****************

"HKU\S-1-5-21-2977940842-803183795-4277161081-1004_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key Deleted Successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{285BEE03-D8BC-4ACD-8F9F-F80B2C737FC5}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{285BEE03-D8BC-4ACD-8F9F-F80B2C737FC5}" => Key deleted successfully.
C:\Windows\System32\Tasks\{D402A543-8EFB-0E97-1E76-51A6CAB68ED3} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{D402A543-8EFB-0E97-1E76-51A6CAB68ED3}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{55C6ED93-3852-4400-8908-B9765C9BB973}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{55C6ED93-3852-4400-8908-B9765C9BB973}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BackgroundContainer Startup Task" => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{94bd6970-1a83-41dc-9be5-bf50b3d0238f}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{94bd6970-1a83-41dc-9be5-bf50b3d0238f}" => Key not found.
Could not move "C:\Users\Eric\AppData\Roaming\wjiyf.dll" => Scheduled to move on reboot.
C:\Users\Eric\AppData\Roaming\ctakwua.dll => Moved successfully.
"C:\Windows\System32\Tasks\{D402A543-8EFB-0E97-1E76-51A6CAB68ED3}" => File/Directory not found.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-10-29 21:30:51)<=

C:\Users\Eric\AppData\Roaming\wjiyf.dll => Is moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Good! :)

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
  • Please copy/paste the contents or attach that log file to your next reply.
  • If needed the file can be located here: C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites

Looks like my previous reply didn't post(?). Here is the LOG.TXT

I noticed there is registry keys locked, I wonder if that is why I am unable to update/play Age of Empires3 on this computer over the past couple of weeks as well? It references an error about needing a MSXML, but when I try to load it, I am told I do not have permission to the registry keys. Odd.

 

In any case, LOG is below:

 

*** EDIT - After 2 attempts, it appears as though I cannot cut and paste the log.txt into my reply. I am assuming because it is so large(?) so I am attaching it below. I hope this is ok.

log.txt

Link to post
Share on other sites

I don't know what exactly is the problem with your game.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

 

Folder::

c:\users\Eric\AppData\Roaming\Registry Help Free

c:\users\Eric\AppData\Local\Registry Help Free

c:\program files (x86)\MyImageConverter_8j

FireFox::

FF - ProfilePath - c:\users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\m1c71txz.default\

FF - ExtSQL: !HIDDEN! 2013-08-02 08:59; 8jffxtbr@MyImageConverter_8j.com; c:\program files (x86)\MyImageConverter_8j\bar\1.bin

JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

  • 2 months later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.