Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constantly running... Severe threats & dllhost.exe *32 issues


  • This topic is locked This topic is locked
11 replies to this topic

#1 chigirl

chigirl

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 12 November 2014 - 12:16 PM

I'm new and scans have showed I have some serious issues.  I have tried to download some of the fixes suggested on your site but get the message "your current security settings do not allow this file to be downloaded"  
 
Running Windows 7, 64 bit (not sure what else you need)
 
Scan indicated one severe issue as Win32/powessere.alreg (
regkey:HKCU@S-1-5-21-3468294975-2602840788-254591884-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32\) .   When the internet is open there is a ton of action with dllhost.exe*32  com surrogate,  using 100% cpu.
 
Thanks!

Edited by Queen-Evie, 12 November 2014 - 12:22 PM.
moved from Windows 7 to the appropriate forum


BC AdBot (Login to Remove)

 


#2 wishmakingfairy

wishmakingfairy

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:46 AM

Posted 12 November 2014 - 04:25 PM

If you're able to, try booting into safemode w/ networking and try to download from there

 

To get to safemode: Turn on your comptuer and as soon as you see the manufacturers logo (splash screen) keep pressing F8, then it'll bring up a black screen like... windows-7-f8.jpg

 

Using the arrow keys, navigate to safemode with networking and hit enter on the keyboard


Using ubuntu and sharing how to as well as collecting how to scripts for common programs. Feel free to ask or share ^-^


#3 chigirl

chigirl
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 12 November 2014 - 05:52 PM

I ran the  Powelikscleaner and I was infected.  I was able to run rkiller and that was clear.  I was able to download Malwarebytes and running a scan now.



#4 chigirl

chigirl
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 12 November 2014 - 06:00 PM

Here is the results: 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 11/12/2014
Scan Time: 4:35:44 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.3.1025
Malware Database: v2014.11.12.10
Rootkit Database: v2014.11.12.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Kelly
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 321675
Time Elapsed: 19 min, 47 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 2
Trojan.Clicker.64, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE, , [ba30eb4ffe7ed066d5bd69789e637e82], 
Trojan.Clicker.64, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE, , [ba30eb4ffe7ed066d5bd69789e637e82], 
 
Registry Values: 2
Trojan.Ransom.Gen, HKU\S-1-5-21-3468294975-2602840788-254591884-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|QufhAplig, regsvr32.exe "C:\ProgramData\QufhAplig\QufhAplig.dat", , [58922f0b84f8bb7b84c6495abc48ea16]
Trojan.Ransom.Gen, HKU\S-1-5-21-3468294975-2602840788-254591884-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|UotjuGhupp, regsvr32.exe "C:\ProgramData\UotjuGhupp\UotjuGhupp.dat", , [43a71c1ef08c50e6a4a6990a93714eb2]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 23
Trojan.FakeMS, C:\ProgramData\TegicAfpas\TegicAfpas.dat, , [5793af8bbdbf2c0aa76c0fd457aa24dc], 
Trojan.Pseudo.isct, C:\ProgramData\Windows Genuine Advantage\{065B21E5-135E-4745-88EF-5897B21180D6}\msiexec.exe, , [e703fe3c780471c5a34faf3332cfb44c], 
Spyware.Zbot.ED, C:\ProgramData\Windows Genuine Advantage\{234AC0C8-63A2-46E7-BAD6-0BA186BEED28}\msiexec.exe, , [f3f7bc7e7804b6806effe296fe078e72], 
Spyware.Vawtrak, C:\ProgramData\Windows Genuine Advantage\{2FE942AB-0C44-4257-9410-D2C0CABE349B}\msiexec.exe, , [886269d1e9931323fe9b459dc23f23dd], 
Trojan.Agent.EDHE, C:\ProgramData\Windows Genuine Advantage\{333D761D-F274-432E-9DAA-3D9833B05937}\msiexec.exe, , [5892b288e29a2e08b15e8959bd44a858], 
Trojan.Pseudo.isct, C:\ProgramData\Windows Genuine Advantage\{34730CA2-96E9-45FC-B937-ED31A8430A3A}\msiexec.exe, , [e7032713304cee485e940fd3e9188878], 
Spyware.Vawtrak, C:\ProgramData\Windows Genuine Advantage\{3C9FEB56-5ADC-4B20-B76C-001BBC7BA07F}\msiexec.exe, , [fcee47f3a9d335016b2e16cc7a87f709], 
Trojan.Clicker, C:\ProgramData\Windows Genuine Advantage\{8E5837E0-52C1-4361-98F0-F9F2AEFBC2A7}\msiexec.exe, , [75757bbf9fdd86b0c0d1c02137cab848], 
Trojan.Clicker, C:\ProgramData\Windows Genuine Advantage\{90674F41-FE95-4F29-BA8E-5228681BF18A}\msiexec.exe, , [d41632083d3f4bebc0d19b469a678e72], 
Backdoor.Papras, C:\ProgramData\Windows Genuine Advantage\{B789206A-5FC2-42C4-B378-6E54A64A8731}\api-ms-win-system-cmcfg32-l1-1-0.dll, , [bd2d360496e65ed85012e5fc27da48b8], 
Trojan.Agent.ED, C:\ProgramData\Windows Genuine Advantage\{CE973BC9-6BBA-4E9C-99B6-5AB98E364FF8}\msiexec.exe, , [c426201a116bd85ec0a65d7f25dc38c8], 
Spyware.Zbot.ED, C:\ProgramData\Windows Genuine Advantage\{D8256672-BB7C-43B7-B694-0396BFCFFEDB}\msiexec.exe, , [10dabe7cdca0ab8bb1bcc6b2d13439c7], 
Trojan.Agent.EDHE, C:\ProgramData\Windows Genuine Advantage\{DBD229A8-544A-4F1B-821C-B46C55AA39EB}\msiexec.exe, , [bf2b12288bf1a78f4bc4964c16ebae52], 
Trojan.Agent.EDHE, C:\ProgramData\Windows Genuine Advantage\{FB373D9B-0D31-4BB8-8E6E-C57541F3A763}\msiexec.exe, , [5f8b9b9fc6b6e74fb35c35ad17eab14f], 
Trojan.FakeMS, C:\ProgramData\YamalJoboh\YamalJoboh.dat, , [836780ba93e974c219fa964dd22f6898], 
Trojan.FakeMS.ED, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\advpack.dll, , [be2c41f97c00da5c6f26ffdee41d2cd4], 
Trojan.Agent.ED, C:\Users\Kelly\AppData\Roaming\svc-bhvi.exe, , [9c4ef644285455e1f076b32931d0916f], 
Trojan.Clicker.64, C:\Users\Kelly\AppData\Roaming\FrameworkUpdate7\GoogleUpdate.exe, , [ba30eb4ffe7ed066d5bd69789e637e82], 
Trojan.Clicker.64, C:\Users\Kelly\AppData\Local\Temp\A8B.tmp, , [f6f475c57804b48298fa8160cf32c739], 
Trojan.Clicker.64, C:\Users\Kelly\AppData\Local\Temp\2876.tmp, , [9d4d5ae0d4a8ff37147e4d9453ae5fa1], 
Trojan.Crypt.NKN, C:\Users\Kelly\AppData\Local\Temp\hubujwvm.exe, , [1ad08bafe795a690a4813f41c33e59a7], 
Trojan.Proxy.Bunitu, C:\Users\Kelly\AppData\Local\ucriruo.dll, , [59914dedc6b6e74f03d114c8bc45c739], 
Spyware.Zbot.ED, C:\Users\Kelly\AppData\Local\Odcsics\msiexec.exe, , [1fcb65d56c107fb7ea8323551de8be42], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#5 xAnti_HerOx

xAnti_HerOx

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:46 AM

Posted 12 November 2014 - 06:46 PM

Sounds like a Zero Access Virus on your PC.

Edited by Queen-Evie, 12 November 2014 - 08:17 PM.
deleted suggestion to run a tool that is NOT allowed in Am I Infected.

4mKMIUp.jpg

 

"The human spirit must prevail over technology". -Albert Einstein 


#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:46 PM

Posted 12 November 2014 - 08:08 PM

Removed by me, for you to see the post below only .......


Edited by noknojon, 12 November 2014 - 08:16 PM.


#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:46 PM

Posted 12 November 2014 - 08:13 PM

NOTE - You are / have been badly infected, please leave this to the Experts

 

Please follow the instructions in This Prep Guide starting at Step 6.

Once the requested logs are created, then make a New Topic and post it to the =>> Malware Removal Experts Area <== Not back here.

Copy and Paste any logs created, (do not attach them unless requested) and include a brief description of your problem and what you have done to try to resolve them.
Please note that the area can get a bit busy, so you may need to wait a day or more for a reply.

NOTE- If you cannot produce any of the logs, then please create the new topic anyway. Do not run more tools unless the experts request them.
 

Thank You -



#8 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:06:46 AM

Posted 12 November 2014 - 08:20 PM

chigirl, please follow the instructions given to you by Noknojon and follow the prep guide for posting in Malware Removal Logs.

After you post the logs in that forum, please post a link to it IN THIS TOPIC so this one can be closed.

xAnti_HerOx, please read this topic for instructions regarding helping in Am I Infected.

http://www.bleepingcomputer.com/forums/t/250928/instructions-for-posting-advice-in-am-i-infected-forum/

Specifically note what tools are NOT allowed in Am I Infected.
 

Posting instructions for the use of the following by non-staff members is prohibited in this area, as well as in all other areas of the forums. This list contains tools and procedures that are forbidden, the instructions for using similar tools or procedures should not be posted here, or elsewhere on Bleeping Computer forums, without prior Staff approval.■ComboFix instructions or discussion.

■HiJackThis, DDS, OTL, ZOEK, RSIT, RogueKiller instructions.
■FRST (Farbar Recovery Scan Tool).
■Manual rootkit removal using non-automated and advanced ARK tools (MBRCheck, MBR.exe and Esage Bootkit Remover).
■Automated registry cleaners.
■Advanced Registry instruction. Simple registry fixes are permitted but they must be accompanied with a warning to back up the registry first.
The BC staff will monitor (review) registry fixes and if we determine they are dangerous or incorrect, the instructions will be removed.
■Custom scripts, batch files.
■Other specialized fix tools the BC Staff deems untrained members should not recommend for use.


Edited by Queen-Evie, 12 November 2014 - 08:24 PM.


#9 xAnti_HerOx

xAnti_HerOx

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:46 AM

Posted 12 November 2014 - 08:33 PM

Read and Understood .

 

chigirl, please follow the instructions given to you by Noknojon and follow the prep guide for posting in Malware Removal Logs.

After you post the logs in that forum, please post a link to it IN THIS TOPIC so this one can be closed.

xAnti_HerOx, please read this topic for instructions regarding helping in Am I Infected.

http://www.bleepingcomputer.com/forums/t/250928/instructions-for-posting-advice-in-am-i-infected-forum/

Specifically note what tools are NOT allowed in Am I Infected.
 


4mKMIUp.jpg

 

"The human spirit must prevail over technology". -Albert Einstein 


#10 chigirl

chigirl
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 13 November 2014 - 11:31 AM

Thank you, I tried to download DDS and received the message: "your current security settings do not allow this file to be downloaded"  I am running another Malwarebytes scan now. 



#11 chigirl

chigirl
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 13 November 2014 - 12:34 PM

http://www.bleepingcomputer.com/forums/t/555975/im-infected-dllhost-issues-and-who-knows-what-else-is-lurking/

 

Thank you for your time!!!!  <3

 

moving along.....



#12 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:06:46 AM

Posted 14 November 2014 - 10:52 AM

Now that you have posted a DDS log in Malware Removal Logs

Please refrain from asking for further help from other members or staff until the Malware Removal Team has checked your posted log. The Malware Removal Team work very hard to investigate a unique solution to your problem and you will receive individual expert assistance. This takes time and effort so we ask you to please be patient while waiting for assistance and NOT to make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member. Any modifications you make on your own can result in system changes which may not show it the log you already posted. Further, following advice outside of that post may cause confusion for the team member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

The Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean. If you followed any other advice already, please ensure you inform the Malware Removal Team Team Helper when they respond to assist you with your log. This will help them know what has been done and they probably will ask for an updated log.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Removal Team member is already assisting you and not open the thread to respond.

If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.

This topic is closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users