Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


dllhost taking over task manager and eating up memory

  • This topic is locked This topic is locked
4 replies to this topic

#1 ki4jyi


  • Members
  • 2 posts
  • Local time:09:58 PM

Posted 09 November 2014 - 01:55 AM

I've used malwarebytes to quarantine and remove threats but the problem still isn't resolved.  Downloading keeps getting turned off in internet explorer and cookies are deleted. 


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17041  BrowserJavaVersion: 10.67.2
Run by Phillip at 0:38:48 on 2014-11-09
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4095.1999 [GMT -6:00]
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.flywestwind.com/
uSearch Bar = Preserve
mStart Page = www.google.com
uProxyOverride = 192.168.*.*
mWinlogon: Userinit = userinit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - C:\Program Files (x86)\Internet Explorer\iedvtool.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
uRun: [MPOptimizer] "C:\Program Files\MaxPerforma Optimizer\MaxPerforma.exe" /scan
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [StereoLinksInstall] "C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvstlink.exe" /install1
dRunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid}
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
TCP: NameServer =
TCP: Interfaces\{04CDA349-7B3B-4903-9C36-9C147E14CDBA} : DHCPNameServer =
TCP: Interfaces\{09F16CA6-43B0-4FF2-AB8F-3B6DF8D89947} : DHCPNameServer =
TCP: Interfaces\{09F16CA6-43B0-4FF2-AB8F-3B6DF8D89947}\642494355727675696C6C616E636566516E673 : DHCPNameServer =
TCP: Interfaces\{09F16CA6-43B0-4FF2-AB8F-3B6DF8D89947}\64F68764966383 : DHCPNameServer =
TCP: Interfaces\{3580D70A-C806-4F28-902C-DAE39CDB2602} : DHCPNameServer =
TCP: Interfaces\{3985F6E0-143B-4434-A690-F8A53131A55D} : DHCPNameServer =
TCP: Interfaces\{49E2F92A-C026-4957-93D2-364D8051DB1A} : DHCPNameServer =
TCP: Interfaces\{6FB9B195-7468-4353-9230-5F5E42F66CF0} : DHCPNameServer =
TCP: Interfaces\{706F6796-95D8-44E8-A27E-44B9F199596B} : DHCPNameServer =
TCP: Interfaces\{8C78F065-80A0-4E41-9A52-A26AEA8BD569} : DHCPNameServer =
TCP: Interfaces\{B16C1892-A033-4CFC-8083-B5941ACD1B1E}\4427F69646022514A525 : DHCPNameServer =
TCP: Interfaces\{B16C1892-A033-4CFC-8083-B5941ACD1B1E}\64F68764960333 : DHCPNameServer =
TCP: Interfaces\{B16C1892-A033-4CFC-8083-B5941ACD1B1E}\64F68764968313 : DHCPNameServer =
TCP: Interfaces\{B16C1892-A033-4CFC-8083-B5941ACD1B1E}\D4F62696C6560284F6473707F6470263336313 : DHCPNameServer =
TCP: Interfaces\{B2B8B44F-63FC-4905-AA35-B4A185FC22A9} : DHCPNameServer =
TCP: Interfaces\{B9923483-25C3-4569-8F7C-C2C10D81B9FF} : DHCPNameServer =
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = www.google.com
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
x64-Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
============= SERVICES / DRIVERS ===============
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-11-8 1871160]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-11-8 968504]
R3 chdrvr01;chdrvr01;C:\Windows\System32\drivers\chdrvr01.sys [2013-9-13 248496]
R3 chdrvr02;chdrvr02;C:\Windows\System32\drivers\chdrvr02.sys [2013-9-13 11440]
R3 chdrvr03;chdrvr03;C:\Windows\System32\drivers\chdrvr03.sys [2013-9-13 24240]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-11-8 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-11-8 129752]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-11-8 63704]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\System32\drivers\nx6000.sys [2010-1-29 36720]
R3 npusbio;npusbio;C:\Windows\System32\drivers\npusbio_x64.sys [2012-7-9 38400]
R3 SaiH0BAC;SaiH0BAC;C:\Windows\System32\drivers\SaiH0BAC.sys [2007-7-2 176128]
R3 SaiH0C2D;SaiH0C2D;C:\Windows\System32\drivers\SaiH0C2D.sys [2007-7-2 176128]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 PST Service;PST Service;C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe --> C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [?]
S3 GamesAppService;GamesAppService;"C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe" --> C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [?]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-5-26 111616]
S3 netr7364;RT73 USB Extensible Wireless LAN Card Driver;C:\Windows\System32\drivers\netr7364.sys [2011-10-5 729152]
S3 NMgamingmsFltr;USB Optical Mouse;C:\Windows\System32\drivers\NMgamingms.sys [2009-7-24 11264]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\Windows\System32\drivers\nvvad64v.sys [2014-11-1 38048]
S3 pneteth;PdaNet Broadband;C:\Windows\System32\drivers\pneteth.sys [2013-3-20 15360]
S3 pnetmdm;PdaNet Modem;C:\Windows\System32\drivers\pnetmdm64.sys [2011-7-11 17920]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-9-22 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-9-22 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-9-22 30208]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-7-18 1255736]
S4 Live Updater Service;Live Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2011-4-13 244624]
=============== Created Last 30 ================
2014-11-09 05:07:00 129752 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-11-09 05:06:29 93400 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-11-09 05:06:29 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-11-09 05:06:29 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-11-09 05:06:29 -------- d-----w- C:\ProgramData\Malwarebytes
2014-11-09 05:06:29 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-11-09 05:04:52 -------- d-----w- C:\Windows\Panther
2014-11-09 04:32:26 -------- d-----w- C:\ProgramData\Licenses
2014-11-08 21:19:38 -------- d-----w- C:\Users\Phillip\.gstreamer-0.10
2014-11-03 03:38:28 233368 ----a-w- C:\Program Files (x86)\Microsoft Games\Microsoft Flight Simulator X\MyTraffic\TDBX.exe
2014-10-30 22:45:08 881400 ----a-w- C:\Program Files (x86)\Microsoft Games\Microsoft Flight Simulator X\unins006.exe
2014-10-30 22:20:50 251701 ----a-w- C:\Program Files (x86)\Microsoft Games\Microsoft Flight Simulator X\UtAkUninst.exe
2014-10-30 22:15:18 11627712 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{15AD70B6-A0DE-4124-9435-BC0B7E753E97}\mpengine.dll
2014-10-30 21:13:33 -------- d-----w- C:\Program Files\Microsoft Security Client
2014-10-30 20:49:24 -------- d-----w- C:\Users\Phillip\AppData\Roaming\Systweak
2014-10-23 18:23:08 -------- d-----w- C:\Users\Phillip\AppData\Local\AirTrafficManager
2014-10-21 02:11:15 661716713 ---ha-w- C:\Program Files (x86)\Microsoft Games\Microsoft Flight Simulator X\SimMarket\Pensacola Intl Airport\RepairPensacola Intl Airport.exe
2014-10-21 02:11:15 1189051 ----a-w- C:\Program Files (x86)\Microsoft Games\Microsoft Flight Simulator X\SimMarket\Pensacola Intl Airport\unins000.exe
2014-10-17 19:14:57 1299293 ----a-w- C:\Program Files (x86)\Microsoft Games\Microsoft Flight Simulator X\unins007.exe
2014-10-15 19:19:39 -------- d-----w- C:\ProgramData\simMarket
2014-10-11 16:09:21 98216 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
==================== Find3M  ====================
2014-11-08 22:13:20 5 ----a-w- C:\Windows\SysWow64\lMMLDeleteUserData42107612FX.tmp
2014-10-06 01:02:45 31520 ----a-w- C:\Windows\System32\nvhdap64.dll
2014-10-06 01:02:45 197408 ----a-w- C:\Windows\System32\drivers\nvhda64v.sys
2014-10-06 01:02:45 1538880 ----a-w- C:\Windows\System32\nvhdagenco6420103.dll
2014-10-02 20:53:02 278152 ------w- C:\Windows\System32\MpSigStub.exe
2014-09-27 03:19:15 6878408 ----a-w- C:\Windows\System32\nvcpl.dll
2014-09-27 03:19:14 3532608 ----a-w- C:\Windows\System32\nvsvc64.dll
2014-09-27 03:19:13 935232 ----a-w- C:\Windows\System32\nvvsvc.exe
2014-09-27 03:19:13 61640 ----a-w- C:\Windows\System32\nvshext.dll
2014-09-27 03:19:13 2558792 ----a-w- C:\Windows\System32\nvsvcr.dll
2014-09-27 03:19:12 385352 ----a-w- C:\Windows\System32\nvmctray.dll
2014-09-24 19:04:37 3968693 ----a-w- C:\Windows\System32\nvcoproc.bin
2014-09-04 19:14:38 38048 ----a-w- C:\Windows\System32\drivers\nvvad64v.sys
2014-09-04 19:14:38 34976 ----a-w- C:\Windows\System32\nvaudcap64v.dll
2014-09-04 19:14:38 32416 ----a-w- C:\Windows\SysWow64\nvaudcap32v.dll
2014-08-12 20:59:04 181 ----a-w- C:\Users\Phillip\FSDreamTeam_KFLL.reg
============= FINISH:  0:44:42.78 ===============

Attached Files

BC AdBot (Login to Remove)



#2 deeprybka


  • Malware Response Team
  • 5,198 posts
  • Gender:Male
  • Location:Germany
  • Local time:05:58 AM

Posted 11 November 2014 - 12:36 PM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

ie11.pngRe-enable downloads in Internet Explorer

Press thew7.png + R on your keyboard at the same time. Type inetcpl.cpl and click OK.
Click the Security tab and then on reset.PNG

Step 2
Please download Powelikscleaner (by ESET) and save it to your Desktop.
  • Double-click the 3.png to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
  • The tool will produce a log in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Step 3

Please run a FRST scan. This will help us diagnose your problem.

Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer

#3 ki4jyi

  • Topic Starter

  • Members
  • 2 posts
  • Local time:09:58 PM

Posted 11 November 2014 - 12:44 PM

Please disregard this post. The problem was resolved using ComboFix. Thank you for your response.

#4 deeprybka


  • Malware Response Team
  • 5,198 posts
  • Gender:Male
  • Location:Germany
  • Local time:05:58 AM

Posted 11 November 2014 - 12:45 PM

OK... :)

Take care!
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer

#5 deeprybka


  • Malware Response Team
  • 5,198 posts
  • Gender:Male
  • Location:Germany
  • Local time:05:58 AM

Posted 11 November 2014 - 12:45 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users