Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe COM Surrogate infection


  • This topic is locked This topic is locked
17 replies to this topic

#1 Ashwood

Ashwood

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 03 November 2014 - 09:33 AM

This program is taking over my computer's CPU. It seems to flare up whenever my Norton Antivirus detects to programs: adclicker and Powelik. one the antivirus has blocked either of these programs, my processes log is burried under dllhost.exe processes. Any help would be appreciated. Here is my dds log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17344
Run by Office-1 at 9:11:45 on 2014-11-03
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Norton 360 Premier Edition\Engine\21.6.0.32\N360.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\File Association Helper\FAHWindow.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Users\Office-1\AppData\Local\Temp\connectbgdl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Users\Office-1\AppData\Local\Temp\tlx_app\_PSWIN32.EXE
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Norton 360 Premier Edition\Engine\21.6.0.32\N360.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360 premier edition\engine\21.6.0.32\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360 premier edition\engine\21.6.0.32\ips\ipsbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: delta Helper Object: {C1AF5FA5-852C-4C90-812E-A7F75E011D87} - c:\program files\delta\delta\1.8.21.0\bh\delta.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Delta Toolbar: {82E1477C-B154-48D3-9891-33D83C26BCD3} - c:\program files\delta\delta\1.8.21.0\deltaTlbr.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360 premier edition\engine\21.6.0.32\coieplg.dll
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe  startup
mRun: [PeachtreePrefetcher.exe] c:\program files\sage\peachtree\PeachtreePrefetcher.exe /configfile:peachtreeprefetcher.winstart.config
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [FAHConsole] c:\program files\file association helper\FAHConsole.exe
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: c:\users\office-1\appdata\roaming\micros~1\windows\startm~1\programs\startup\phones~1.lnk - m:\phoneslips\pslips\pswin32.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\csconn~1.lnk - \\server2012-pc\c\wincsi\tools\connectbgdl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~3.lnk - c:\program files\common files\intuit\quickbooks\qbwebconnector\QBWebConnector.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2015\QBW32.EXE
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://qb.webex.com/client/v_mywebex-qb20/support/ieatgpc1.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{985BA871-9523-4E4E-A73C-203686F33D87} : DHCPNameServer = 192.168.1.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks 2012\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} - c:\program files\intuit\quickbooks 2013\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - c:\program files\intuit\quickbooks 2014\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb8 - {CD17C364-2EC8-4929-91A9-C4839A20E909} - c:\program files\intuit\quickbooks 2015\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\38.0.2125.111\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\office-1\appdata\roaming\mozilla\firefox\profiles\sfghyua3.default\
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\fromdoctopdf_65\bar\1.bin\NP65Stub.dll
FF - plugin: c:\program files\google\update\1.3.25.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: c:\users\office-1\appdata\local\citrix\plugins\104\npappdetector.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_15_0_0_152.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2014-10-29 16:00:39    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-10-28 17:09:09    --------    d-----w-    c:\users\office-1\appdata\local\Macromedia
2014-10-17 17:54:54    306688    ----a-w-    c:\windows\IsUninst.exe
2014-10-16 15:01:59    --------    d-----w-    c:\users\office-1\appdata\local\WinZip
2014-10-16 15:01:38    --------    d-----w-    c:\program files\File Association Helper
2014-10-16 13:12:04    --------    d-----w-    c:\users\office-1\appdata\roaming\TeamViewer
2014-10-15 12:30:51    3221504    ----a-w-    c:\windows\system32\mstscax.dll
2014-10-06 12:36:01    936152    ----a-r-    c:\windows\system32\drivers\n360\1506000.020\symefa.sys
2014-10-06 12:36:01    447704    ----a-r-    c:\windows\system32\drivers\n360\1506000.020\symnets.sys
2014-10-06 12:36:01    367704    ----a-r-    c:\windows\system32\drivers\n360\1506000.020\symds.sys
2014-10-06 12:36:01    32984    ----a-w-    c:\windows\system32\drivers\n360\1506000.020\srtspx.sys
2014-10-06 12:36:01    21520    ----a-r-    c:\windows\system32\drivers\n360\1506000.020\symelam.sys
2014-10-06 12:36:00    664792    ----a-w-    c:\windows\system32\drivers\n360\1506000.020\srtsp.sys
2014-10-06 12:36:00    209624    ----a-w-    c:\windows\system32\drivers\n360\1506000.020\ironx86.sys
2014-10-06 12:36:00    127064    ----a-r-    c:\windows\system32\drivers\n360\1506000.020\ccsetx86.sys
2014-10-06 12:35:49    30068    ----a-w-    c:\windows\system32\drivers\n360\1506000.020\symvtcer.dat
2014-10-06 12:35:49    --------    d-----w-    c:\windows\system32\drivers\n360\1506000.020
.
==================== Find3M  ====================
.
2014-10-10 01:44:58    230912    ----a-w-    c:\windows\system32\generaltel.dll
2014-10-10 01:44:35    396288    ----a-w-    c:\windows\system32\aepdu.dll
2014-10-10 01:39:38    302592    ----a-w-    c:\windows\system32\aeinv.dll
2014-09-29 00:41:36    2379264    ----a-w-    c:\windows\system32\win32k.sys
2014-09-25 22:32:04    2017280    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-09-25 01:40:50    519680    ----a-w-    c:\windows\system32\qdvd.dll
2014-09-24 14:33:03    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-09-24 14:33:03    701104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-09-19 01:25:12    4201472    ----a-w-    c:\windows\system32\jscript9.dll
2014-09-19 01:14:57    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-09-19 01:14:44    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-09-19 01:02:07    454656    ----a-w-    c:\windows\system32\vbscript.dll
2014-09-19 01:01:47    61952    ----a-w-    c:\windows\system32\iesetup.dll
2014-09-19 01:01:03    51200    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-09-19 00:59:40    61952    ----a-w-    c:\windows\system32\MshtmlDac.dll
2014-09-19 00:50:16    112128    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-09-19 00:50:15    108032    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-09-19 00:49:31    597504    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-09-19 00:44:23    646144    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-09-19 00:36:23    60416    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2014-09-19 00:18:55    1068032    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2014-09-18 23:59:11    1810944    ----a-w-    c:\windows\system32\wininet.dll
2014-09-18 01:32:52    2363904    ----a-w-    c:\windows\system32\msi.dll
2014-09-13 01:40:05    67072    ----a-w-    c:\windows\system32\packager.dll
2014-09-09 21:47:10    2048    ----a-w-    c:\windows\system32\tzres.dll
2014-09-04 05:04:15    372736    ----a-w-    c:\windows\system32\rastls.dll
2014-08-23 01:46:55    305152    ----a-w-    c:\windows\system32\gdi32.dll
2014-08-19 02:41:38    50176    ----a-w-    c:\windows\system32\setbcdlocale.dll
2014-08-19 02:41:22    50688    ----a-w-    c:\windows\system32\appidapi.dll
2014-08-19 02:41:22    27648    ----a-w-    c:\windows\system32\appidsvc.dll
2014-08-19 02:40:49    96768    ----a-w-    c:\windows\system32\appidpolicyconverter.exe
2014-08-19 02:40:49    16896    ----a-w-    c:\windows\system32\appidcertstorecheck.exe
2014-08-19 01:48:34    50176    ----a-w-    c:\windows\system32\drivers\appid.sys
.
============= FINISH:  9:13:34.61 ===============
 



BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:00 PM

Posted 05 November 2014 - 12:11 PM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1
logo.png
Please download Powelikscleaner (by ESET) and save it to your Desktop.
  • Double-click the 3.png to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
  • The tool will produce a log in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
1.png
2.png

Step 2

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 Ashwood

Ashwood
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 07 November 2014 - 08:43 AM

Sorry for the delay. My antivirus was preventing me from running FRST. I had to compress the poweliks log to be able to post it.

Attached Files


Edited by Ashwood, 07 November 2014 - 08:48 AM.


#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:00 PM

Posted 07 November 2014 - 01:00 PM

Step 1

Please uninstall some programs:

  • Windows 7w7.png: Click on the hidden2.png button, open Control Panel and click Uninstall a program.
  • Search and select the following programs one by one and click on Uninstall:

BrowserProtect
Delta Chrome Toolbar
Delta toolbar
FromDocToPDF Firefox Toolbar
Updater Service

  • Reboot your computer.

Step 2

Please download adwcleaner.png AdwCleaner (by Xplode) and save it to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select "Run As Administrator"
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • After rebooting, a log file (that is saved in C:\AdwCleaner[S#].txt) will open automatically.
    Copy and paste the contents of that logfile in your next reply.

Step 3

Please download and install mbam.pngMalwarebytes Anti-Malware

  • Please open Malwarebytes Anti-Malware.
  • Please update the database by clicking on the "Update Now" button.
  • Following the update and click "Settings" [1] and go to "Detection and Protection" [2]
  • Make sure "Scan for Rootkits" is checked.
  • Click on Dashboard [3], then click on Scan Now [4] to start the scan.
    :exclame: If Malware or Potentially Unwanted Programs [PUPs] are found, you will receive a prompt so that you can decide what you want to do. I suggest "Quarantine All" [5]. Then click the button: Apply Actions. [6]
  • A window with an option to view the detailed log will appear.
    mbamlog.png
  • Click on "View detailed log".
  • After viewing the results, please click on the "Copy to Clipboard" button and then OK.
  • Return to our forum. Paste your log into your next reply.

mbameng.gif

Step 4
frst.pngfrstscan.png

Start FRST with administator privileges.

  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 Ashwood

Ashwood
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 07 November 2014 - 04:38 PM

Thank you. I will not have access to this pc until monday. Please be patient with me until then.



#6 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:00 PM

Posted 08 November 2014 - 05:54 AM

OK... :)

Thanks for letting me know.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#7 Ashwood

Ashwood
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 10 November 2014 - 10:27 AM

Thank you for your patience. Here are the results of the scans.

Attached Files



#8 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:00 PM

Posted 10 November 2014 - 11:11 AM

Hi,
the attached FRST.txt is "empty". Please re-run FRST and post the log. :)
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#9 Ashwood

Ashwood
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 10 November 2014 - 12:05 PM

Sorry, I thought that might be how it was supposed to come out. I re-ran the program, and here is the report.

Attached Files

  • Attached File  FRST.txt   33.29KB   6 downloads


#10 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:00 PM

Posted 10 November 2014 - 12:23 PM

Let's do a final check up:

Step 1


Don't remove on your own anything that Hitman Pro detects!
This scanner, as it is a really good for checking, has been known for deleting files instead of curing them, which in some cases may render the machine unbootable.
Any removals will be done manually after careful analysis of the scan results!


Please download hitmanpro_32.pngHitmanPro 32-bit / HitmanPro 64-bit by SurfRight and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
  • Right-click onhitmanpro.pngicon and select admin.PNGRun as Administrator to start the tool.
  • If the program won't run please run it while holding down the left CTRL key until it's loaded!
  • Click on the Next button (1). You must agree with the terms of EULA (2 - if asked).
  • Check the box beside "No, I only want to perform a one-time scan to check this computer" and click on the Next button. (3)
  • The program will start to scan the computer. It would only take several minutes.
  • When the scan is done click on Save Log (4) and close HitmanPro! (5)
  • Copy and paste the content of the log file in your next reply.
hitman.gif


Step 2

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif

lesestoff.png

Can you please tell me which problems still persist now?
How is the computer running

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#11 Ashwood

Ashwood
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 11 November 2014 - 04:24 PM

Sorry that took so long. ESET needed 8 hours to run.

 

The infected issue seems fine and I have not observed any instances of dllhost multiplying in my processes window. My only concern is that adobe flash is using up a lot of memory when I use it in firefox. I don't know if this is a related issue or not.

Attached Files



#12 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:00 PM

Posted 11 November 2014 - 04:54 PM

Step 1

Upload File(s) to virustotal.png
I want you to upload the following file(s) to an online virus-scanner to scan.
  • Click the Choose File button.
  • Please copy/paste the following text into the 'File name:' box:

    C:\Users\Office-1\AppData\Local\Temp\tlx_app\_PSWIN32.EXE
  • Click Open then click the Scan it! button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File already analyzed: click Reanalyse
  • Copy and Paste the link of the result page in your reply;
Follow the procedure for the following file(s) too:
C:\Users\Office-1\AppData\Local\Temp\ConnectBGDL.exe
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#13 Ashwood

Ashwood
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 12 November 2014 - 09:17 AM

PSWIN32

https://www.virustotal.com/en/file/e6058ac344fccc390a69b0318e3ca6c32cc33c507f99dcfaa71d7f424f0a306f/analysis/1415799610/

 

ConnectBGDL

https://www.virustotal.com/en/file/58e4e7730dece7f1ef887439f8ef8b4e054ff49771b9774edaafd74cb884db55/analysis/1415801765/



#14 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:00 PM

Posted 12 November 2014 - 12:26 PM

Hi,
 

I don't know if this is a related issue or not.

no it isn't.

ESET hasn't found anything that we really need to worry about. Just some adware "remnants" and a lot of stuff in the windows.old-folder but no active malware. :)
 
That's it! abklatsch.gif
Your logs look clean to me at the moment. :thumbup2:
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif
Thank you!


Clean Upcleanupm.PNG

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download delfix.pngDelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.

Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefore it's very important to always keep your software up-to-date.
The following software is outdated. Make sure you remove all old versions and install the current one instead if you need the program:

 

Java 7 Update 71

 

Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#15 Ashwood

Ashwood
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 13 November 2014 - 08:43 AM

Thank you for your help. My computer is working much better, except I have lost the use of one of my programs. I am currently trying to get it back up and running. I really appreciate all your help in this matter.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users