Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost com surrogate issue


  • Please log in to reply
13 replies to this topic

#1 evanwishcoil

evanwishcoil

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 01 November 2014 - 07:32 AM

hello. im new here. i have been reading some of the forums about this issue and i have downloaded hitmanpro, antimalwarebytes, and they caught some of the issue but it seems to still be there. so i figured i would see if i could get a pros help on this.

cpu usage is normaly at 100%, multiple dllhost.exe s    most are in the  c:windows/sys/WOW64 folder.


 



BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:16 PM

Posted 01 November 2014 - 11:59 AM

Please post the Malwarebytes log.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  When the log opens, scroll down toward the bottom of the log to Quarantined Items.  Copy and paste this in your next post.
 

 
Please run TDSSKiller.
 
Please download TDSSKiller from here and save it to your Desktop.
 
1.  Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
 
tdss1_zps90132559.png
 
2.  Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system.
 
If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
 
tdsskillermultiple_zps472c18eb.png
 
3.  Click Start Scan and allow the scan process to run.
 
tdss4_zps6792a13c.png
 
4.  If threats are detected select Cure (if available) for all of them unless otherwise instructed.
 
***Do NOT select Delete!
 
Click on Continue.
 
tdss5_zps98fc5887.png
 
5.  Click on Reboot computer.
 
Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply.


Please run the ESET OnlineScan

This scan takes quite a long time to run, so be prepared to have the time to allow this to run till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need to download the Eset Smartinstaller.***

  • Click on this link to open ESET OnlineScan in a new window.
  • The ESET Online Scanner page will open, click on Yes, I agree to the trems of use, then click on Start, the scan will now begine.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 evanwishcoil

evanwishcoil
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 02 November 2014 - 08:31 AM

thank you i ran antimalware and it found 5 itms. 2 trojen and 3 pup somethings i had them all removed. the tds killer  found 4 suspicious things, one was a realplayer updated (which i believe should be deleted cus that came up as a virus thing in a different scan) my webcam and then 2 directory things.
ill add the logs and im giong to do htat last scan you sent
 



#4 evanwishcoil

evanwishcoil
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 02 November 2014 - 08:34 AM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/2/2014
Scan Time: 7:19:42 AM
Logfile: anti malware.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.02.03
Rootkit Database: v2014.11.01.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Jason

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 415210
Time Elapsed: 50 min, 12 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.Getsavin.A, HKU\S-1-5-21-627916918-1245722293-2442415009-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\GetSavin, Quarantined, [8c6f1f178bf1ff37cea53dea9d664db3],
PUP.Optional.Getsavin.A, HKU\S-1-5-21-627916918-1245722293-2442415009-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\GetSavin, Quarantined, [58a33402bbc19c9a244f2cfb6f9428d8],
PUP.Optional.Getsavin.A, HKU\S-1-5-21-627916918-1245722293-2442415009-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\GetSavin, Quarantined, [ab50c373b2ca52e495de45e2ce356b95],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
Trojan.Agent.ED, C:\Users\Jason\AppData\Local\Temp\UpdateFlashPlayer_a96ffd7b.exe, Quarantined, [f30879bd9ede1e18967b419a48b97987],
Trojan.Agent.ED, C:\Users\Jason\AppData\Local\Temp\UpdateFlashPlayer_b970b508.exe, Quarantined, [58a33df9dca02f0710014398659c07f9],

Physical Sectors: 0
(No malicious items detected)

(end)



#5 evanwishcoil

evanwishcoil
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 02 November 2014 - 08:39 AM

 - ok
08:27:03.0571 0x1a74  [ DCCA4B04AF87E52EF9EAA2190E06CBAC, 8858CFD159BB32AE9FCCA1A79EA83C876D481A286E914071D48F42FCA5B343D8 ] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
08:27:03.0679 0x1a74  Sidebar - ok
08:27:03.0710 0x1a74  [ 0FA760BF380B08D0B67B5507CD8B32AA, 0F73A7F64C4FDAB98CD3A865CC54B3A7195761530FCB115B725CC5A9FB738739 ] C:\Windows\System32\mctadmin.exe
08:27:03.0774 0x1a74  mctadmin - ok
08:27:04.0056 0x1a74  AVG-Secure-Search-Update_0913a - ok
08:27:04.0595 0x1a74  [ 22F7B9670AD770C7ED7F4738204C8E5C, 7B793AC094CB1B073419B5DAE09DFBB8EBED03D29301F490AA76EA0667613438 ] C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe
08:27:04.0878 0x1a74  HP Deskjet 3510 series (NET) - ok
08:27:04.0879 0x1a74  AVG-Secure-Search-Update_0214c - ok
08:27:05.0543 0x1a74  [ 697D1E5E6452171F0B9FE3849889BC90, 923DAEA1D7E8D224E0599FEEFE5C9BDCC6F71B028F6711E288027A53BB068720 ] C:\Users\Jason\AppData\Roaming\uTorrent\uTorrent.exe
08:27:13.0668 0x1a74  uTorrent - ok
08:27:13.0833 0x1a74  [ 5D61BE7DB55B026A5D61A3EED09D0EAD, D32CC7B31A6F98C60ABC313ABC7D1143681F72DE2BB2604711A0BA20710CAAAE ] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
08:27:13.0850 0x1a74  swg - ok
08:27:15.0905 0x1a74  [ DEB55C327597E42FA14E41F5858F3263, 199300A8E1B0000A82D04CDA2D32C482945AFFE47A037AAA58F89E3EDF059684 ] C:\Program Files\CCleaner\CCleaner64.exe
08:27:16.0762 0x1a74  CCleaner Monitoring - ok
08:27:16.0778 0x1a74  [ 5D61BE7DB55B026A5D61A3EED09D0EAD, D32CC7B31A6F98C60ABC313ABC7D1143681F72DE2BB2604711A0BA20710CAAAE ] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
08:27:16.0791 0x1a74  swg - ok
08:27:17.0491 0x1a74  [ 5C189A70C0CF78156B4EF780333CA64E, F0588EF9024E436C8A29609618727A250E2D79A1DA155E2B4C475C0427BF2D6C ] C:\Program Files (x86)\AIM\aim.exe
08:27:17.0947 0x1a74  Aim - ok
08:27:17.0950 0x1a74  RegistryBooster - ok
08:27:18.0043 0x1a74  EA Core - ok
08:27:18.0067 0x1a74  [ 5D61BE7DB55B026A5D61A3EED09D0EAD, D32CC7B31A6F98C60ABC313ABC7D1143681F72DE2BB2604711A0BA20710CAAAE ] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
08:27:18.0089 0x1a74  swg - ok
08:27:18.0096 0x1a74  ============================================================
08:27:18.0096 0x1a74  Scan finished
08:27:18.0097 0x1a74  ============================================================
08:27:18.0127 0x1120  Detected object count: 4
08:27:18.0127 0x1120  Actual detected object count: 4
08:28:14.0995 0x1120  RealPlayerUpdateSvc ( UnsignedFile.Multi.Generic ) - skipped by user
08:28:14.0995 0x1120  RealPlayerUpdateSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
08:28:14.0996 0x1120  PLFSetI ( UnsignedFile.Multi.Generic ) - skipped by user
08:28:14.0996 0x1120  PLFSetI ( UnsignedFile.Multi.Generic ) - User select action: Skip
08:28:14.0999 0x1120  VideoWebCamera ( UnsignedFile.Multi.Generic ) - skipped by user
08:28:14.0999 0x1120  VideoWebCamera ( UnsignedFile.Multi.Generic ) - User select action: Skip
08:28:15.0002 0x1120  HPHmon05 ( UnsignedFile.Multi.Generic ) - skipped by user
08:28:15.0002 0x1120  HPHmon05 ( UnsignedFile.Multi.Generic ) - User select action: Skip



#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:16 PM

Posted 02 November 2014 - 08:49 AM

 
Please download and run Emsisoft.
 
Please copy and paste the results in your topic.
 
 

Please run AdwCleaner
 
Please download AdwCleaner and install it.
 
When AdwCleaner opens you will see an image like the one below.
 
adwcleaner11_zps48314883.png
 
Click on Scan to start the scan.
 
Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.  
 
Click on Clean to remove the selected items.  If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.  
 
You will receive a message telling you that all programs will be closed so that the infections can be removed.  Click on OK.  The computer will be restarted to complete the cleaning process.
 
When the cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your topic.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 evanwishcoil

evanwishcoil
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 02 November 2014 - 09:53 AM

adwcleaner found nothing



#8 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:16 PM

Posted 02 November 2014 - 10:30 AM

What about the Emsisoft?


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#9 evanwishcoil

evanwishcoil
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 02 November 2014 - 10:32 AM

have not tried that yet. the eset is still running and its found 3 so far



#10 evanwishcoil

evanwishcoil
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 02 November 2014 - 01:22 PM

  • eset has been scaning for 3 hrs and found 16


#11 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:16 PM

Posted 02 November 2014 - 01:29 PM

The Eset scan takes a long time.  Let it complete and then post the log in your topic.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#12 evanwishcoil

evanwishcoil
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 02 November 2014 - 03:58 PM

here is the eset scan it got a lot!
C:\AdwCleaner\Quarantine\C\Windows\System32\roboot64.exe.vir a variant of Win64/Systweak.A potentially unwanted application
C:\AI_RecycleBin\{155F98F7-0DD6-4B4B-BC2D-E2D27AD3F6F4}\3\Strongvault\StrongVaultApp.exe MSIL/Adware.StrongVault.A application
C:\Program Files (x86)\FLVTube Player\player.swf Win32/Adware.FlvDirect application
C:\Users\Jason\AppData\Local\Temp\is1914646434\821372_stp.EXE a variant of Win32/FileTypeAssistant.A potentially unwanted application
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\4ab2ca19-288742e1 multiple threats
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\101630dd-2a73a89f multiple threats
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\101630dd-31aeef96 multiple threats
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\7209aa1d-2c1c24e7 multiple threats
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\753b202c-68d7efd3 multiple threats
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\7bf2d4f5-305a4555 a variant of Java/Exploit.CVE-2012-0507.FQ trojan
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\378e0eb8-521d38c6 multiple threats
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\49923478-7b4da1af multiple threats
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\4a7e34ba-232c1a83 multiple threats
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\45af8646-3e9bc48b multiple threats
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4c7ce06-3d8d26b8 a variant of Java/Exploit.CVE-2013-1493.FY trojan
C:\Users\Jason\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\190ac3be-338dd930 Java/Exploit.Agent.OEZ trojan
C:\Users\Jason\Downloads\BitZipperSetup [1].exe a variant of Win32/FileTypeAssistant.A potentially unwanted application
C:\Users\Jason\Downloads\speedupmypc.exe Win32/SpeedUpMyPC potentially unwanted application
C:\Windows\Installer\MSI63CE.tmp-\Smartbar.Resources.LanguageSettings.resources.dll a variant of MSIL/Toolbar.Linkury.E potentially unwanted application
C:\Windows\Installer\MSI63CE.tmp-\sppsm.dll a variant of MSIL/Toolbar.Linkury.G potentially unwanted application
C:\Windows\Installer\MSI63CE.tmp-\srbs.dll a variant of MSIL/Toolbar.Linkury.C potentially unwanted application
C:\Windows\Installer\MSI63CE.tmp-\srprl.dll a variant of MSIL/Toolbar.Linkury.F potentially unwanted application
C:\Windows\Installer\MSI63CE.tmp-\srpu.dll a variant of MSIL/Toolbar.Linkury.I potentially unwanted application
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Application Updater\temp\~wtF78E.tmp a variant of Win32/Toolbar.Widgi.B potentially unwanted application
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Application Updater\temp\~wtF78E.tmp a variant of Win32/Toolbar.Widgi.B potentially unwanted application



 



#13 evanwishcoil

evanwishcoil
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 03 November 2014 - 07:23 AM

i ran the emisoft and it found a lot so i quarenteend it all



#14 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:16 PM

Posted 03 November 2014 - 11:09 AM

Reopen Emsisoft and click on Logs, then click on Export.

 

Save this to either Documents or your Desktop.

 

Click on the log, copy and then paste it in your topic.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users