Jump to content

dllhost.exe COM surrogate Poweliks at the least


SuperG
 Share

Recommended Posts

Hello, and Thank you in advance for any assistance you can provide.

 

My name is Barry, but you can feel free to call me Barry,

 

My machine was running high fan quite a bit with nothing running which lead me to discover this charming beast lurking behind. I have run ComboFix (log attached) as well as Farbar Recovery Scan Tool (FRST) Scan (FRST and Addition logs attached) as well as TDSSKiller. Here is how that went:

 

ComboFix finds a temp file and deletes it however this doesn't resolve the issue. I suspect it has to do with other programs loading when the computer reboots, but it could also just be getting replaced as soon as it's removed.

 

Farbar indicates a likely powelik reg key in the logs. I understand that this is not good and immediately changed all my logins (not a snmall task) from a clean PC last night when I discovered the issue. I wish to try and clean this machine so I can take a clean local backup then wipe the machine afterwards.

 

TDSSKiller actually finds absolutely nothing.

 

I would appreciate any assitance in removing this scourge. Thank you.

 

**EDIT* Apparently my post is too long, I'll just attach the logs vs paste

 

ComboFix.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

In case anybody is wondering...McAfee seems to think ComboFix is Malware itself and will delete the download. Had to go to a 3rd computer. (infected one is still not connected to anything)

 

 

ComboFix.txt:

 

ComboFix 14-10-29.01 - Barry 10/30/2014  20:13:52.5.2 - x86
Microsoft Windows 7 Professional   6.1.7600.0.1252.1.1033.18.3567.2485 [GMT -5:00]
Running from: c:\users\Barry\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\jna5572854781856955704.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-09-28 to 2014-10-31  )))))))))))))))))))))))))))))))
.
.
2014-10-31 01:19 . 2014-10-31 01:21 -------- d-----w- c:\users\Barry\AppData\Local\temp
2014-10-31 01:19 . 2014-10-31 01:19 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-10-31 01:19 . 2014-10-31 01:19 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2014-10-31 01:19 . 2014-10-31 01:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-29 05:52 . 2014-10-29 05:55 -------- d-----w- C:\AdwCleaner
2014-10-29 05:47 . 2014-10-29 05:47 -------- d-----w- c:\program files\VS Revo Group
2014-10-29 04:32 . 2014-10-31 00:29 -------- d-----w- C:\FRST
2014-10-29 03:56 . 2014-10-30 01:20 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-29 03:56 . 2014-10-29 03:56 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-10-29 03:56 . 2014-10-29 03:56 -------- d-----w- c:\programdata\Malwarebytes
2014-10-29 03:56 . 2014-10-01 16:11 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-10-29 03:56 . 2014-10-01 16:11 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-29 03:56 . 2014-10-01 16:11 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-04 15:58 . 2010-02-08 02:34 414520 ----a-w- c:\windows\system32\drivers\aswsp.sys
2014-08-04 15:58 . 2014-08-04 15:58 24184 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-08-04 15:58 . 2014-08-04 15:58 43152 ----a-w- c:\windows\avastSS.scr
2014-08-04 15:58 . 2014-01-10 02:53 71944 ----a-w- c:\windows\system32\drivers\aswstm.sys
2014-08-04 15:58 . 2014-01-10 02:52 81768 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-08-04 15:58 . 2014-01-10 02:51 779536 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-08-04 15:58 . 2014-01-10 02:51 192352 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-08-04 15:58 . 2014-01-10 02:51 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-08-04 15:58 . 2010-02-08 02:34 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-08-04 15:58 . 2010-02-08 02:34 276432 ----a-w- c:\windows\system32\aswBoot.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-08-04 15:58 578240 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Barry\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Barry\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Barry\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIHWA.EXE" [2011-04-24 219008]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2014-01-17 543432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-11 150552]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-04-25 305088]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
"FUFAXRCV"="c:\program files\Epson Software\FAX Utility\FUFAXRCV.exe" [2011-03-09 495616]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2011-03-09 856064]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-14 113288]
"AvastUI.exe"="c:\program files\Alwil Software\Avast5\AvastUI.exe" [2014-08-04 4085896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-05-07 256896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIHWA.EXE" [2011-04-24 219008]
"EPLTarget\P0000000000000001"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIHWA.EXE" [2011-04-24 219008]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
CrashPlan Tray.lnk - c:\program files\CrashPlan\CrashPlanTray.exe [2013-2-21 209920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=wdmaud.drv
.
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2013-06-28 14624]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2014-01-22 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-10-01 968504]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-10-01 51928]
R4 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-10-01 1871160]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-08-04 779536]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-08-04 414520]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2011-04-25 65584]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-08-04 24184]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-08-04 67824]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2014-08-04 71944]
S2 CrashPlanService;CrashPlan Backup Service;c:\program files\CrashPlan\CrashPlanService.exe [2013-02-22 152576]
S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [2011-06-09 521600]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-01-08 161536]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2009-03-02 5120]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-09-12 414496]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2010-12-07 2228008]
S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-07-16 2673064]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-10-01 23256]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4056181430-203973226-4140590726-1000Core.job
- c:\users\Barry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 19:30]
.
2014-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4056181430-203973226-4140590726-1000UA.job
- c:\users\Barry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 19:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
FF - ProfilePath - c:\users\Barry\AppData\Roaming\Mozilla\Firefox\Profiles\jftl7969.default\
.
.
------- File Associations -------
.
.reg=Regedit.Document
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5748)
c:\users\Barry\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\vssvc.exe
c:\windows\system32\conhost.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe
c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2014-10-30  20:23:16 - machine was rebooted
ComboFix-quarantined-files.txt  2014-10-31 01:23
ComboFix2.txt  2014-10-30 01:36
ComboFix3.txt  2014-10-29 06:11
ComboFix4.txt  2014-10-29 05:34
ComboFix5.txt  2014-10-31 01:13
.
Pre-Run: 176,323,551,232 bytes free
Post-Run: 176,031,465,472 bytes free
.
- - End Of File - - C9A07B46E13239F793546FA861C575C3
A36C5E4F47E84449FF07ED3517B43A31
 

 

Thank you.

Link to post
Share on other sites

I have not put it back on the network yet, but when I went to task manager after all this and marked "Show processes from all users" I saw (2) dllhost.exe COM surrogate items that rapidly vanished. I suspect if I plug this in they will come back.

 

Let me test it.

 

They show up after reboot but again disappear when I show all user processes.

 

I'm going to give this a bit to simmer.

 

Should I re-run anything to check? FRST?

 

Thank you.

Link to post
Share on other sites

OK........

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

Weird, I thought I posted this earlier today. Here are the results:

 

Results of screen317's Security Check version 0.99.89  
 Windows 7  x86 (UAC is enabled)  
 Out of date service pack!!
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 60  
 Java version out of Date!
  Adobe Flash Player     11.7.700.169 Flash Player out of Date!  
 Mozilla Firefox 31.0 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
 Alwil Software Avast5 AvastSvc.exe  
 Alwil Software Avast5 AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


===============================

Windows 7 x86 (UAC is enabled)
Out of date service pack!! <-----please visit Windows Update for this
Internet Explorer 11


=============================

Java 7 Update 60 <-----------please uninstall this and any other Java listed in your Programs and Features
Java version out of Date! <-------Download and install the latest version (Java™ 8 Update 25) from Here. Uncheck the box to install the Ask toolbar!!!, McAfee Security Scan Plus or any other free "stuff".

============================

Adobe Flash Player 11.7.700.169 Flash Player out of Date!
Flash Player:

Check for an update if available
Downloads are at the top of the page. (don't install the McAfee toolbar)

===========================

Mozilla Firefox 31.0 Firefox out of Date! <----please check for an update if available.

===========================

A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<-------)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter. (it may look like CF is re-installing but it's not)
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.