Jump to content

dllhost com surrogate process grows in memory usage


msmith451
 Share

Recommended Posts

Hello. I am working on a computer for a friend and it looks like his computer has been infected with some malware. Upon windows startup the dllhost file is executing processes that multiple and start to utilize up to 2 gb of his memory. I have upgraded his cpu from a dual core to a hex core to help deal with the slowness and while malwarebytes found some stuff, which I deleted, the issue remains.

 

I see some cowboys of the wild west on these forums handling peoples issues with good results. I have run some of the programs listed with hopes of resolving it with my knowledge, but I am not a pro with malware removal.

 

My hands are tied. I would be happy to donate some currency for the time put in and services rendered. Unfortunately this machine is has a complex configuration with connections to CNC and similar industrial machines, so wiping the OS and reinstalling CAD programs with floppy disks would be a huge pain, let alone setting up the XP VM.

 

Unfortunately the malwarebytes logs are xmls which I can't upload, but I have included some files from combofix and frst. Perhaps a fixlist can be generated from this. 

 

I will check the forums and follow whatever instructions are given explicitly. No pirated software or hacked windows are installed on this machine. Please help. 

ComboFix.txt

smith_malwarebytes_log.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello msmith451, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. xsmile.png.pagespeed.ic.CwSpBGGvqN.png
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • Please do not post logs using the CODEQUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
  • Ensure you are following this topic. Click xetYzdbu.png.pagespeed.ic.U7AjmRUewW.png at the top of the page. 
     

======================================================
 
Please do the following. 
 
STEP 1
nSymGHK.png Folder Options 

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Control Folders and click OK.
  • Click View. Under Hidden files and folders
  • Place a checkmark next to Show hidden files, folders and drives.
  • Remove the checkmark next to Hide extensions for known file types.
  • Remove the checkmark next to Hide protected operating system Files (Recommended).
  • Click Apply followed by OK.
     

STEP 2
nWhGEI3.png VirusTotal Upload

  • Please go to VirusTotal.com.
  • Click Choose File and locate the following file:
    • C:\Windows\SysWOW64\drivers\ddnt.sys
  • Click Scan it!.
  • If you receive the following notification: File already analysed click Reanalyse.
  • Once the file has been analyzed, copy the page URL at the top of the window and paste in your next reply. 
     

STEP 3
YARWD1t.png TDSSKiller Scan

  • Please download TDSSKiller and save the file to your Desktop.
  • Right-Click TDSSKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Change parameters. Place a checkmark next to:
    • Loaded Modules
    • Detect TDLFS file system
    • Verify file digital signatures
  • Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
  • ​Click Start Scan. Do not use the computer during the scan.
  • If objects are found, change the action to skip.
  • Click Continue and close the window.
  • A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.
     

======================================================
 
STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • VirusTotal Results
  • TDSSKiller log (attached!)
Link to post
Share on other sites

The system appears better after I ran adwcleaner, fixpoweliks64 and malwarebytes antirootkit last night, before I posted here, but that Win32.Malware.Heur_Generic.A.(kcloud) picked up by Kingsoft seems to remain. I have to check out for the night, but I will check back tomorrow and follow whatever instructions you give me. 

 

Thanks in advance Adam. My name is Matt btw. Good night

Link to post
Share on other sites

Hi Matt, 

 

Please proceed with the following.

 

STEP 1
EtQetiM.png Uninstall Software

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for the following programmes, right-click and click Uninstall.
  • Note: Ensure you decline offers of additional software if applicable.
    • Ask Toolbar
  • Follow the prompts.
  • Reboot if necessary.
     

STEP 2
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startHKLM-x32\...\Run: [] => [X]HKU\S-1-5-21-2081514750-4280462676-107054556-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONHKU\S-1-5-21-2081514750-4280462676-107054556-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONToolbar: HKCU - No Name - {71576546-354D-41C9-AAE8-31F2EC22BF0D} -  No FileHandler: vipresg - {47BE2E5B-703B-444F-ABD3-05717D2191C6} -  No FileFilter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} -  No FileS3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe" [X]S2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe /s  [X]S3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0; \??\c:\gencotst\pcdsrvc_x64.pkms [X]C:\Users\Nick\AppData\Local\Temp\AcDeltree.exeCustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{6D7AE628-FF41-4CD3-91DD-34825BB1A251}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acad.exe /Automation No FileCustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?CustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{B77E471C-FBF3-4CB5-880F-D7528AD4B349}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acad.exe /Automation No FileCustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{C92FB640-AD4D-498A-9979-A51A2540C977}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acad.exe /Automation No FileCustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{D70E31AD-2614-49F2-B0FC-ACA781D81F3E}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acad.exe No FileCustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{E2C40589-DE61-11ce-BAE0-0020AF6D7005}\InprocServer32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acadficn.dll No FileC:\Program Files (x86)\Ask.comreg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater" /fCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
  • Click File, Save As and type fixlist.txt as the File Name.
  • Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 3
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 4
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts.
  • Click Scan.
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
  • Follow the prompts and allow your computer to reboot.
  • After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 
 
======================================================
 
STEP 5
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Did the programme uninstall OK?
  • Fixlog.txt
  • MBAM log
  • AdwCleaner[s0].txt
Link to post
Share on other sites

Ask toolbar program was mysteriously gone today. Good riddance!

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-11-2014 02
Ran by Nick at 2014-11-13 17:01:00 Run:1
Running from C:\Users\Nick\Downloads
Loaded Profile: Nick (Available profiles: Nick)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2081514750-4280462676-107054556-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2081514750-4280462676-107054556-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Toolbar: HKCU - No Name - {71576546-354D-41C9-AAE8-31F2EC22BF0D} -  No File
Handler: vipresg - {47BE2E5B-703B-444F-ABD3-05717D2191C6} -  No File
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} -  No File
S3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe" [X]
S2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe /s  [X]
S3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0; \??\c:\gencotst\pcdsrvc_x64.pkms [X]
C:\Users\Nick\AppData\Local\Temp\AcDeltree.exe
CustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{6D7AE628-FF41-4CD3-91DD-34825BB1A251}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acad.exe /Automation No File
CustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{B77E471C-FBF3-4CB5-880F-D7528AD4B349}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acad.exe /Automation No File
CustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{C92FB640-AD4D-498A-9979-A51A2540C977}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acad.exe /Automation No File
CustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{D70E31AD-2614-49F2-B0FC-ACA781D81F3E}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acad.exe No File
CustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{E2C40589-DE61-11ce-BAE0-0020AF6D7005}\InprocServer32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acadficn.dll No File
C:\Program Files (x86)\Ask.com
reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater" /f
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
end
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKU\S-1-5-21-2081514750-4280462676-107054556-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key not found.
"HKU\S-1-5-21-2081514750-4280462676-107054556-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key not found.
"HKU\S-1-5-21-2081514750-4280462676-107054556-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
\\{71576546-354D-41C9-AAE8-31F2EC22BF0D} => Value not found.
"HKCR\CLSID\{71576546-354D-41C9-AAE8-31F2EC22BF0D}" => Key not found.
"HKCR\PROTOCOLS\Handler\vipresg" => Key deleted successfully.
"HKCR\CLSID\{47BE2E5B-703B-444F-ABD3-05717D2191C6}" => Key not found.
"HKCR\PROTOCOLS\Filter\text/xml" => Key deleted successfully.
"HKCR\CLSID\{807553E5-5146-11D5-A672-00B0D022E945}" => Key not found.
McComponentHostService => Service not found.
Norton PC Checkup Application Launcher => Service not found.
PCDSRVC{67F2314B-25F2B3C0-06020101}_0 => Service deleted successfully.
"C:\Users\Nick\AppData\Local\Temp\AcDeltree.exe" => File/Directory not found.
"HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{6D7AE628-FF41-4CD3-91DD-34825BB1A251}" => Key not found.
"HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.
"HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{B77E471C-FBF3-4CB5-880F-D7528AD4B349}" => Key not found.
"HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{C92FB640-AD4D-498A-9979-A51A2540C977}" => Key not found.
"HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{D70E31AD-2614-49F2-B0FC-ACA781D81F3E}" => Key not found.
"HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{E2C40589-DE61-11ce-BAE0-0020AF6D7005}" => Key not found.
"C:\Program Files (x86)\Ask.com" => File/Directory not found.
 
========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater" /f =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========  netsh winsock reset all =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv4 reset =========
 
Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv6 reset =========
 
Reseting Interface, OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
EmptyTemp: => Removed 13.2 GB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog ====
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 11/13/2014
Scan Time: 5:11:35 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.3.1025
Malware Database: v2014.11.13.10
Rootkit Database: v2014.11.12.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Nick
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 327176
Time Elapsed: 8 min, 37 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
# AdwCleaner v4.101 - Report created 13/11/2014 at 17:24:42
# Updated 09/11/2014 by Xplode
# Database : 2014-11-13.1 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Nick - MIKTOOLPC
# Running from : C:\Users\Nick\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17420
 
 
-\\ Google Chrome v38.0.2125.111
 
 
*************************
 
AdwCleaner[R1].txt - [746 octets] - [13/11/2014 17:23:22]
AdwCleaner[s1].txt - [668 octets] - [13/11/2014 17:24:42]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [727 octets] ##########
 
It looks like everything is gone. There were a few items quarantined in mbam from previous runs, so I deleted them. Is there anything else left to do other than keep an eye out for anything strange?
Link to post
Share on other sites

Hello Matt, 
 
Lets check for malware remnants. 
Please provide an update on your computer afterwards. 
 
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Hide advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
  • Push the Back button.
  • Place a checkmark next to xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
Link to post
Share on other sites

Thanks Adam. I hope we are in the final stretch. I assume the quarantined files can be deleted. The Y: drive is an external backup that has an old install, so I don't think the toolbar could be affecting this computer. I will be formatting it soon and starting a new backup regiment after all this is said and done. ccsetup is just cc cleaner and 1440026.msi can just be deleted right?

 

C:\Qoobox\Quarantine\Registry_backups\CLSID_{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}.reg.dat Win32/Poweliks.C trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0000.dta Win64/Olmarik.AK trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0001.dta Win32/Olmarik.AYH trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0002.dta Win64/Olmarik.AL trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0003.dta a variant of Win32/Rootkit.Kryptik.NH trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0004.dta Win64/Olmarik.AK trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0008.dta Win32/Olmarik.AFK trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0009.dta Win64/Olmarik.AK trojan

C:\Users\Nick\Downloads\ccsetup419.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

C:\Windows\Installer\1440026.msi a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application

Y:\old computer\Program Files\Common Files\Real\Toolbar\RealBar.dll a variant of Win32/Adware.Toolbar.Visicom.AB application

 

Thanks again. I might not be back until Monday, but this hour long scan completing without any active threats (just remnants) makes me think we are good. What is your opinion?

 

Enjoy the weekend,

Matt

Link to post
Share on other sites

Hi Matt,
 
Delete this file: C:\Windows\Installer\1440026.msi
 
Update your outdated software to reduce the risk of reinfection.

Ensure the following programmes are no longer installed.

  • Adobe Shockwave Player 11.6 
  • Java 7 Update 17 
     

Now for the good news.

All Clean!
Congratulations, your computer appears clean!  :)
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful
 
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. YSCcjW7.png
 
 
STEP 1
9SN2ePL.png ComboFix Uninstall

  • If ComboFix.exe is no longer present, redownload ComboFix and save the file to your Desktop
  • Press the Windows Key + r on your keyboard at the same time. Type the following text into the Run box:
    ComboFix /Uninstall
  • Click OK.
  • Note: It may appear as if Combofix is installing. This is not the case; the programme is uninstalling. Please do not interrupt the process.
     

STEP 2
AFZxnZc.jpg DelFix

  • Please download DelFix and save the file to your Desktop.
  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Reset system settings
  • Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
 
======================================================
 
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

The following programmes come highly recommended in the security community.

  • xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpg AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
  • E8I37RF.pngCryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), preventing your files from being encrypted.
  • EG85Vjt.png Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
  • x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpg Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
  • xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
  • 3O8r9Uq.png Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
  • DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secunia PSI will scan your computer for vulnerable software that is outdatedand automatically find the latest update for you.
  • xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.png Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
 
======================================================
 
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread. 
 
Thank you for using Malwarebytes.
 
Safe Surfing. :)    
Adam

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.