Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Instances of dllhost.exe consuming all memory/RAM!


  • This topic is locked This topic is locked
2 replies to this topic

#1 Orcrin12

Orcrin12

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 23 October 2014 - 09:28 AM

Lots of dllhost.exe in Task Manager consuming all memory and lagging computer. Scanned with SUPERantispyware and removed 2 Trojans. Scanned with TDSSKiller and removed 2 Worms. Keep finding new things, thinking the viruses are mutiplying as they die. Need help removing them. I ran ComboFix and it seemed to be successful. But nothing seemed to happen, dllhost.exe was still running rampant. So I decided to disable all antivirus systems and run Combofix again, but after the blue window popped up it disappeared after a minute. What should I do? HALP! :(

 

Pasting DDS.txt Log below... Attaching "Attach.txt as well. Please Help Soon!

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 11.0.9600.17344  BrowserJavaVersion: 10.60.2
Run by Master-Chief at 10:19:09 on 2014-10-23
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3583.2281 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\Common Files\Nuance\dgnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Gaming Mouse\Monitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\explorer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uProxyServer = hxxp=127.0.0.1:64580;https=127.0.0.1:64580
uProxyOverride = <-loopback>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [CAHeadless] c:\program files\adobe\elements 11 organizer\caheadless\ElementsAutoAnalyzer.exe
uRun: [ISUSPM] c:\programdata\flexnet\connect\11\ISUSPM.exe -scheduler
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\program files\amd avt\bin\kdbsync.exe" aml
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [Gaming mouse] "c:\program files\gaming mouse\Monitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISUSPM] c:\programdata\flexnet\connect\11\\isuspm.exe -scheduler
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking12\ereg\ereg.exe" -r "c:\programdata\nuance\naturallyspeaking12\Ereg.ini"
uPolicies-Explorer: TaskbarNoNotification = dword:0
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: TaskbarNoNotification = dword:0
mPolicies-Explorer: HideSCAHealth = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{39D289D8-00C6-4D05-B573-9B6B5543D45D} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{F158C27A-8979-47B1-8F60-BB1335E5D517} : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\38.0.2125.104\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-7-17 231800]
R1 MpKsl1375d629;MpKsl1375d629;c:\programdata\microsoft\microsoft antimalware\definition updates\{a8fcb401-cf35-44d3-9ccb-80358032b801}\MpKsl1375d629.sys [2014-10-23 39464]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2014-7-22 142648]
R2 AdobeActiveFileMonitor11.0;Adobe Active File Monitor V11;c:\program files\adobe\elements 11 organizer\PhotoshopElementsFileAgent.exe [2012-9-17 171600]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-9 169312]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2013-4-29 217088]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2013-4-30 291840]
R2 AODDriver4.1;AODDriver4.1;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2012-3-5 45184]
R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2013-3-8 311184]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2014-3-3 37944]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-5-14 86656]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2013-4-10 1622640]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-10-15 108032]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-9-9 110296]
S3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\drivers\netr28.sys [2012-12-6 2046560]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-9-27 95920]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-8-22 288120]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2014-3-3 14848]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-3-3 49152]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2014-3-1 1343400]
SUnknown jddrqguo;jddrqguo; [x]
SUnknown mqvdxavk;mqvdxavk; [x]
SUnknown oscblart;oscblart; [x]
.
=============== Created Last 30 ================
.
2014-10-23 14:08:47 -------- d-s---w- C:\ComboFix
2014-10-23 12:53:57 208896 ----a-w- c:\windows\MBR.exe
2014-10-23 12:53:56 256000 ----a-w- c:\windows\PEV.exe
2014-10-23 12:53:55 98816 ----a-w- c:\windows\sed.exe
2014-10-23 12:52:18 39464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a8fcb401-cf35-44d3-9ccb-80358032b801}\MpKsl1375d629.sys
2014-10-23 12:30:05 62576 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a8fcb401-cf35-44d3-9ccb-80358032b801}\offreg.dll
2014-10-23 00:56:39 8901368 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a8fcb401-cf35-44d3-9ccb-80358032b801}\mpengine.dll
2014-10-23 00:43:41 -------- d-----w- C:\TDSSKiller_Quarantine
2014-10-20 23:26:43 8901368 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-10-15 13:14:13 230912 ----a-w- c:\windows\system32\generaltel.dll
2014-10-15 13:14:12 396288 ----a-w- c:\windows\system32\aepdu.dll
2014-10-15 13:14:11 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-10-15 13:14:10 2379264 ----a-w- c:\windows\system32\win32k.sys
2014-10-15 13:12:55 2363904 ----a-w- c:\windows\system32\msi.dll
2014-10-06 22:44:29 -------- d-----w- c:\users\master-chief\.swt
2014-10-04 22:46:19 -------- d-----w- c:\windows\system32\appmgmt
2014-10-02 20:56:27 -------- d-----r- c:\program files\Skype
2014-10-02 02:11:03 908840 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a8970d6e-c96c-43b3-ac07-a2ec16fd26c7}\gapaengine.dll
2014-10-01 09:15:19 519680 ----a-w- c:\windows\system32\qdvd.dll
2014-09-30 13:48:33 -------- d-----w- c:\users\master-chief\appdata\local\Ankama
2014-09-23 22:45:40 2048 ----a-w- c:\windows\system32\tzres.dll
.
==================== Find3M  ====================
.
2014-10-21 17:11:33 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-25 22:32:04 2017280 ----a-w- c:\windows\system32\inetcpl.cpl
2014-09-22 06:41:56 231568 ------w- c:\windows\system32\MpSigStub.exe
2014-09-19 01:25:12 4201472 ----a-w- c:\windows\system32\jscript9.dll
2014-09-19 01:14:57 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-09-19 01:14:44 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-09-19 01:02:07 454656 ----a-w- c:\windows\system32\vbscript.dll
2014-09-19 01:01:47 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-09-19 01:01:03 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-09-19 00:59:40 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-09-19 00:50:16 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-09-19 00:50:15 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-09-19 00:49:31 597504 ----a-w- c:\windows\system32\jscript9diag.dll
2014-09-19 00:44:23 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-09-19 00:36:23 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-09-19 00:18:55 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-09-18 23:59:11 1810944 ----a-w- c:\windows\system32\wininet.dll
2014-09-16 14:11:18 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-09-16 14:11:18 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-09-13 01:40:05 67072 ----a-w- c:\windows\system32\packager.dll
2014-09-05 01:52:41 5703168 ----a-w- c:\windows\system32\mstscax.dll
2014-09-04 05:04:15 372736 ----a-w- c:\windows\system32\rastls.dll
2014-08-29 01:44:52 2744320 ----a-w- c:\windows\system32\rdpcorets.dll
2014-08-23 01:46:55 305152 ----a-w- c:\windows\system32\gdi32.dll
2014-08-19 02:41:38 50176 ----a-w- c:\windows\system32\setbcdlocale.dll
2014-08-19 02:41:22 50688 ----a-w- c:\windows\system32\appidapi.dll
2014-08-19 02:41:22 27648 ----a-w- c:\windows\system32\appidsvc.dll
2014-08-19 02:40:49 96768 ----a-w- c:\windows\system32\appidpolicyconverter.exe
2014-08-19 02:40:49 16896 ----a-w- c:\windows\system32\appidcertstorecheck.exe
2014-08-19 01:48:34 50176 ----a-w- c:\windows\system32\drivers\appid.sys
2014-08-01 11:35:06 793600 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-03-01 18:41:25 49940480 ----a-w- c:\program files\GUTEEC2.tmp
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: WDC_WD50 rev.18.0 -> Harddisk0\DR0 -> \Device\00000067 
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor32.sys 
c:\windows\system32\drivers\nvstor32.sys NVIDIA Corporation NVIDIA nForce™ SATA Driver
1 ntkrnlpa!IofCallDriver[0x82E80BFA] -> \Device\Harddisk0\DR0[0x868E1948]
3 CLASSPNP[0x8C6B459E] -> ntkrnlpa!IofCallDriver[0x82E80BFA] -> [0x86295F08]
5 ACPI[0x8C5653D4] -> ntkrnlpa!IofCallDriver[0x82E80BFA] -> \Device\00000066[0x862A0510]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0;  }
user != kernel MBR !!! 
.
============= FINISH: 10:19:40.30 ===============

Attached Files


Edited by Orcrin12, 23 October 2014 - 09:34 AM.


BC AdBot (Login to Remove)

 


m

#2 LiquidTension

LiquidTension

  • Malware Response Instructor
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:11 PM

Posted 25 October 2014 - 04:19 PM

Hello Orcrin12, welcome to Bleeping Computer's Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. smile.png
 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
  • Please do not post logs using the CODEQUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.  
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you require additional time to complete my instructions.
  • Ensure you are following this topic. Click etYzdbu.png at the top of the page. 
     

======================================================

 

Can you attach the two TDSSKiller logs and post the ComboFix log please? 


Posted Image

#3 LiquidTension

LiquidTension

  • Malware Response Instructor
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:11 PM

Posted 28 October 2014 - 07:13 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users