Jump to content

dllhost.exe hogging cpu, malicious website blocked popups never-ending


cami46
 Share

Recommended Posts

Hubby was at NFL site this morning when avast announced that a threat was detected but I didn't have time to check it.  He left, I went to store and when I returned the fan was blowing hard and I shut down all the internet windows but the cpu was still at 100% with a lot of dllhost.exe things running.  When I brought ie back up I had to relogin to all my normal sites (twitter, tumblr, facebook) which I thought was odd.  I downloaded malware bytes free which quarantined some stuff but did not solve my problem. The "Malicious Website Blocked" popups from malwarebytes said the source was windows\syswow64\dllhost.exe so I went there and set it to run in the sandbox.  Since that time I still get the warnings but my CPU is not going crazy, the dllhost things are not using any of the CPU.  I bought the premium malwarebytes and it found nothing even though I am getting the popups.

 

I ran the farbar tool.  I am attaching the files. 

 

Thank you for any help,

Cami

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello Cami and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
Step 1

Please uninstall the following applications:

Catalina Savings Printer

Coupon Printer for Windows

Pogo Games

Zip Opener Packages

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Threat Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 3

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • Fixlog log

fixlist.txt

Link to post
Share on other sites

Thank you for your response.  I had two instances of the catalina savings printer and was able to uninstall one, but the other gets an error.  "The feature you are trying to use is on a network resource that is unavailable."

 

The threat scan did not reveal anything.  I am pasting it below.  I then ran the frst and now I have no dllhost.exe in my task manager window.  Yay.

 

*****************************************

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 10/31/2014
Scan Time: 6:25:06 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.3.1025
Malware Database: v2014.10.31.12
Rootkit Database: v2014.10.22.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Cami
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 406215
Time Elapsed: 12 min, 28 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
*********************************************
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-10-2014 01
Ran by Cami at 2014-10-31 18:56:07 Run:1
Running from C:\Users\Cami\Desktop
Loaded Profile: Cami (Available profiles: Cami & Cami admin & Family)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
Start
CustomCLSID: HKU\S-1-5-21-220717414-300964408-1911875850-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
Task: C:\Windows\Tasks\DSite.job => C:\Users\Cami\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
HKU\S-1-5-21-220717414-300964408-1911875850-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
FF Plugin HKCU: CouponNetwork.com/CMDUniversalCouponPrintActivator -> C:\Users\Cami\AppData\Roaming\CATALI~2\NPBCSK~1.DLL (Catalina Marketing Corporation)
End
*****************
 
"HKU\S-1-5-21-220717414-300964408-1911875850-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key Deleted Successfully.
C:\Windows\Tasks\DSite.job => Moved successfully.
"HKU\S-1-5-21-220717414-300964408-1911875850-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key not found.
"HKU\S-1-5-21-220717414-300964408-1911875850-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.
"HKCU\Software\MozillaPlugins\CouponNetwork.com/CMDUniversalCouponPrintActivator" => Key not found.
C:\Users\Cami\AppData\Roaming\CATALI~2\NPBCSK~1.DLL not found.
 
==== End of Fixlog ====
Link to post
Share on other sites

Don't worry.

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
  • Please copy/paste the contents or attach that log file to your next reply.
  • If needed the file can be located here: C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites

  • 2 months later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.