Jump to content

Help with multiple dllhost.exe *32 running please


Recommended Posts

Like so many others I see, I have been struggling with the issue of something causing multiple dllhost.exe processes to start and run until my laptop CPU and memory are at 100% utilization.

 

I have been reading a lot of the related posts on this subject and it seems that while this issue is pervasive; each system requires it's own unique fix or repair.

 

I have been able to stop the process with RogueKiller; however I am confident that as soon as I have to restart my laptop it will all start again.

 

I am using a Dell Latitude E6520 running 64-bit on Windows 7 Pro SP1. I have repeatedly updated and ran MBam V2.0.3.1025 with no threats found; I also downloaded and ran Mbar 1.08.0.1001. I had Trend Micro and Windows Defender; out of frustration; I added Avast 2015 and turned off the other two. Again nothing is found.

 

I would appreciate any assistance offered.

 

FRST.txt

Addition.txt

Link to post
Share on other sites

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt



Please attach this file to your next reply.

Link to post
Share on other sites

Hello Marius,

 

My laptop flashed a blue screen about 4 minutes after I posted my reply that said something about new software and then immediately shut down.

I have restarted in safe mode with networking.

I do not know why this happened or what caused it; but I thought I should let you know.

 

Thanks again for your Help,

Scott

Link to post
Share on other sites

I just read  "important"

GMER 2.1.19357 - http://www.gmer.netRootkit scan 2014-11-10 09:26:36Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950042 rev.D005 465.76GBRunning: 6r4cjs67.exe; Driver: C:\Users\ADMINS~1\AppData\Local\Temp\kxtiypow.sys---- Processes - GMER 2.1 ----Library  C:\Program Files\AVAST Software\Avast\defs\14111000\uiExt.dll (*** suspicious ***) @ C:\Program Files\AVAST Software\Avast\avastui.exe [4444]     0000000074790000Library  C:\Program Files\AVAST Software\Avast\defs\14111000\aswCmnBS.dll (*** suspicious ***) @ C:\Program Files\AVAST Software\Avast\avastui.exe [4444]  000000006f2d0000Library  C:\Program Files\AVAST Software\Avast\defs\14111000\aswCmnOS.dll (*** suspicious ***) @ C:\Program Files\AVAST Software\Avast\avastui.exe [4444]  000000006fe90000---- Registry - GMER 2.1 ----Reg      HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\d0df9ab22a24                                                                       Reg      HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\d0df9ab22a24 (not active ControlSet)                                                   ---- EOF - GMER 2.1 ----
Link to post
Share on other sites

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

fixlist.txt

Link to post
Share on other sites

Here is the fix log and the scan log

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-11-2014 01Ran by Admin Scott Mackay at 2014-11-11 10:49:08 Run:2Running from C:\Users\Admin Scott Mackay\DesktopLoaded Profile: Admin Scott Mackay (Available profiles: Scott Mackay & Admin Scott Mackay & DefaultAppPool)Boot Mode: Normal==============================================Content of fixlist:*****************HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONHKU\S-1-5-21-2147785943-2566867375-865720341-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONEmptyTemp:*****************"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully."HKU\S-1-5-21-2147785943-2566867375-865720341-1003\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.EmptyTemp: => Removed 247.1 MB temporary data.The system needed a reboot. ==== End of Fixlog ====
Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 11/11/2014Scan Time: 10:53:45 AMLogfile: Mbam Scan Log.txtAdministrator: YesVersion: 2.00.3.1025Malware Database: v2014.11.11.05Rootkit Database: v2014.11.10.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: Admin Scott MackayScan Type: Threat ScanResult: CompletedObjects Scanned: 495583Time Elapsed: 19 min, 51 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end)

Fixlog.txt

Mbam Scan Log.txt

Link to post
Share on other sites

Scan with ESET Online Scan

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
  • Click the blue Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
  • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

    [*]Click Start[*]Wait for the scan to finish[*]When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."[*] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[*]Close the ESET online scan, and let me know how things are now.

Link to post
Share on other sites

Hello Marius,

Thank you again for helping me. Here is the scan log.

C:\ProgramData\RogueKiller\Quarantine\39174D3024E09898.reg	Win32/Poweliks.C trojanC:\Users\Admin Scott Mackay\Downloads\DownloadManagerSetup.exe	a variant of Win32/InstallCore.QF potentially unwanted applicationC:\Users\All Users\RogueKiller\Quarantine\39174D3024E09898.reg	Win32/Poweliks.C trojan

ESET SCAN LOG.txt

Link to post
Share on other sites

Looks good!

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[s1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.





SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK Mirror (if the link is down)

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread (Note: Do NOT post this one into a code box!

Link to post
Share on other sites

# AdwCleaner v4.101 - Report created 13/11/2014 at 08:55:28# Updated 09/11/2014 by Xplode# Database : 2014-11-12.2 [Live]# Operating System : Windows 7 Professional Service Pack 1 (64 bits)# Username : Admin Scott Mackay - MACKAYSYSTEMS# Running from : C:\Users\Admin Scott Mackay\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G757HYE2\adwcleaner_4.101.exe# Option : Clean***** [ Services ] ********** [ Files / Folders ] ********** [ Scheduled Tasks ] ********** [ Shortcuts ] ********** [ Registry ] ********** [ Browsers ] *****-\\ Internet Explorer v11.0.9600.17420-\\ Google Chrome v38.0.2125.111-\\ Opera v25.0.1614.68

Thanks again Marius. here is the adwcleaner log, I will run the other two now. 

Link to post
Share on other sites

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 6.3.7 (11.08.2014:1)OS: Windows 7 Professional x64Ran by Admin Scott Mackay on Thu 11/13/2014 at  9:08:02.01~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Services~~~ Registry Values~~~ Registry Keys~~~ FilesSuccessfully deleted: [File] "C:\Windows\couponprinter.ocx"~~~ FoldersSuccessfully deleted: [Folder] "C:\Program Files (x86)\coupons"Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"~~~ Event Viewer Logs were cleared~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Thu 11/13/2014 at  9:10:56.92End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I ran JRT and tried to run Security Checker three time however it aborted. The text said "UNSUPPORTED OPERATING SYSTEM! ABORTED!"

Thank you again for your help and support.

Link to post
Share on other sites

Hello Marius,

 

I am very grateful for your assistance. It appears to me that you have guided me to a successful removal of the malicious process.

 

The only way that I knew when the malicious process was happening was to watch Windows Task Manager. Previously I would see dllhost.exe *32 processes running and then they would start multiplying. Now I occasionally see dllhost.exe run; then disappear. 

I have not seen any dllhost.exe *32 processes running for a few days.

 

I have avoided any financial sites or online transactions since I first noticed the Dllhost.exe *32 behavior. When do you think it will be safe for me to use online credit card or paypal transactions? I would like to upgrade from Mbam free to premium and I would also like to buy you a beer or two as well.

 

Again; I thank you for your help and support.

Scott

Link to post
Share on other sites

I was able to run the Security check after reboot and have attached the log.

I tried to copy and paste; but it would not paste for some reason.

I am puzzled about the "Java version out of date" statement on the log. I have gone to start - all programs - Java - check for updates - update now: I get "you already have the latest Java platform on this system"

 

As always, thank you for your help.

Scott

checkup log 11.14.2014.txt

Link to post
Share on other sites

Your system is clean now! :)

 

 

Run JavaRa

  • Please download JavaRa and unzip it in a folder on your desktop.
  • Double-click on JavaRa.exe to start the program.
  • Click on Update JavaRa Definitions. Click on download. When this is done click on Back.
  • Choose Remove JRE, since you already uninstalled Java, please click on Next.
  • Now click on Perform Removal Routine to remove the older versions of Java installed on your computer.
  • When that's succesfully done, please click OK to close the message.
  • Click on Next. Since you already downloaded the latest version of Java, please click on Next.
  • Now click on Close this wizard and click Finish.
  • From the main menu please choose Additional Tasks
  • Place a checkmark beside Remove Outdated JRE Firefox Extentions and Clean JRE Temp Files and click Run. Mozilla Firefox should be closed before running this task.
  • When that's succesfully done you will see a message at the top saying: "Selected tasks completed successfully".
  • A log file should be created in the same directory as JavaRa.
  • Please post the log in your next reply.
  • Close JavaRa by clicking the red cross button.

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  1. In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  2. In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  3. In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process

[*] If there is still something left please delete it manualy.





Delete System Restore Points

To ensure your System Restore Points are free of malware, we will delete all of them but the most recent or create a new one.

On Windows Vista: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows 7/8: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows XP: Please follow these instructions to delete all but the most common System Protection Restore Points.




Temp File Cleaner

We need to download Temp File Cleaner (TFC) by OldTimer:

  • Please download TFC.exe by Oldtimer at one of the two links: Link 1 Link 2
  • Save and close all running applications
  • Double-click on TFC.exe to run the program
  • Click on Start to begin the cleaning process note: this program may close running applications, make your screen disappear temporarily, or require a reboot of your PC - this is normal and part of the cleanup
  • When the scan is complete, if you were not asked to reboot the computer, please do so now

More Information can be found about the tool here: http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

 

 

 

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.

    [*]Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

    [*]Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system. [*]Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.

    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.



Link to post
Share on other sites

Here in the States we just celebrated the Thanksgiving Holiday, a national day of giving thanks for our many blessings.

So in that spirit; I share that I am thankful for Psychotic  (Marius) and all of the other advisers here on the forum.

Without you good people; many of us would remain victims of the malicious horde.

I believe I speak for many people all over the world when I say thank you to all of the advisers.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.