Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe and SysWOW64


  • This topic is locked This topic is locked
16 replies to this topic

#1 GreaterFuzz

GreaterFuzz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 December 2014 - 12:31 PM

Hello,

 

Last week I found some malware on my computer. I was unable to fully remove it so the best thing I thought I could do would be to re install Windows.  After that my computer seemed to run fine but yesterday I started getting pop ups from Malwarebytes that it's blocking C:\\WIndows\SysWOW64\dllhost.exe    I've run a threat scan with Malwarebytes and they haven't found anything. My computer is sluggish and it keeps my CPU Usage running from 43% to 100%. When I open task manager there are 4 "dllhost.exe" items listed on processes, the description says they are "COM surrogate". 

 

Can someone help me fix my computer? Attached are the dds.txt, attach.txt and malwarebytes daily log. 

 

Thanks,

GreaterFuzz

Attached Files


Edited by GreaterFuzz, 12 December 2014 - 12:42 PM.


BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:34 PM

Posted 12 December 2014 - 01:20 PM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1
logo.png
Please download Powelikscleaner (by ESET) and save it to your Desktop.
  • Double-click the 3.png to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
  • The tool will produce a log in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
1.png
2.png

Step 2

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.
Step 3

Please download 51a612a8b27e2-Zoek.pngZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    process;
    services-list;
    systemspecs;
    startupall;
    filesrcm;
    
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
Post its content into your next reply.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 GreaterFuzz

GreaterFuzz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 December 2014 - 02:11 PM

Jürgen,
 
Here are the logs.

Attached Files



#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:34 PM

Posted 13 December 2014 - 12:29 PM

Hi,
 

[2014.12.12 12:45:41.711] - INFO: Win32/Poweliks not found

 

...Malwarebytes that it's blocking C:\\WIndows\SysWOW64\dllhost.exe...

 

Does the problem with dllhost.exe still exist?


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 GreaterFuzz

GreaterFuzz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 13 December 2014 - 01:28 PM

The dllhost.exe is not listed on the processes list in task manager right now. But we still have a folder called sysWOW64. What exactly did we do yesterday with the scans? I mean we didn't delete any files or anything so I don't know why it wouldn't be showing up now.



#6 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:34 PM

Posted 13 December 2014 - 01:37 PM

Note: The dllhost.exe is a legit systemfile! Even more, the folder "sysWow64" isn't malicous.

 

Please post this log from ESET Powelikscleaner as well:

2014-12-12 12:44 - 2014-12-12 12:44 - 00007370 _____ () C:\Users\Michael\Downloads\ESETPoweliksCleaner.exe_20141212.124421.20204.log

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#7 GreaterFuzz

GreaterFuzz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 13 December 2014 - 01:47 PM

ESET log

Attached Files



#8 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:34 PM

Posted 13 December 2014 - 01:52 PM

No, please post the other one:

2014-12-12 12:45 - 2014-12-12 12:46 - 00007436 _____ () C:\Users\Michael\Desktop\ESETPoweliksCleaner.exe_20141212.124541.21936.log
2014-12-12 12:44 - 2014-12-12 12:44 - 00007370 _____ () C:\Users\Michael\Downloads\ESETPoweliksCleaner.exe_20141212.124421.20204.log

Edited by deeprybka, 13 December 2014 - 01:53 PM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#9 GreaterFuzz

GreaterFuzz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 13 December 2014 - 02:01 PM

Here is the file.

Attached Files



#10 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:34 PM

Posted 13 December 2014 - 02:15 PM

Thank you very much!

Step 1

Download mbar.PNGMalwarebytes Anti-Rootkit to your Desktop.

  • Double-click "mbar.exe" to start the tool.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"

mbar.gif


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#11 GreaterFuzz

GreaterFuzz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 13 December 2014 - 02:53 PM

Thanks, here's the result.  No Malware found.

 

Attached Files



#12 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:34 PM

Posted 13 December 2014 - 02:57 PM

Let's do a final check up:

Step 1


Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
esetlog.png
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#13 GreaterFuzz

GreaterFuzz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 13 December 2014 - 06:18 PM

I:\OWNER-PC\Backup Set 2013-01-19 215301\Backup Files 2013-01-19 215301\Backup files 3.zip a variant of Win32/Toolbar.Visicom.C potentially unwanted application
I:\OWNER-PC\Backup Set 2013-01-19 215301\Backup Files 2013-01-19 215301\Backup files 5.zip a variant of Win32/Toolbar.Babylon.A potentially unwanted application
 
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=462d4a438f5bc3449363afb48e0ebc5c
# engine=21542
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-12-13 10:38:44
# local_time=2014-12-13 04:38:44 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 8265 170053774 0 0
# scanned=225312
# found=2
# cleaned=0
# scan_time=7015
sh=3932CB9C771F698DE7BBC2DBADF880E76258FFB2 ft=0 fh=0000000000000000 vn="a variant of Win32/Toolbar.Visicom.C potentially unwanted application" ac=I fn="I:\OWNER-PC\Backup Set 2013-01-19 215301\Backup Files 2013-01-19 215301\Backup files 3.zip"
sh=845F50CE87077598F83C2A2CCAF7B2D3040F79D4 ft=0 fh=0000000000000000 vn="a variant of Win32/Toolbar.Babylon.A potentially unwanted application" ac=I fn="I:\OWNER-PC\Backup Set 2013-01-19 215301\Backup Files 2013-01-19 215301\Backup files 5.zip"
 


#14 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:34 PM

Posted 14 December 2014 - 09:38 AM

The FRST-log is looking good and the detections above aren't serious.
Can you please tell me which problems still persist now?


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#15 GreaterFuzz

GreaterFuzz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 15 December 2014 - 12:20 AM

I've used the computer all day without any issue.  I guess  that fixed it.  I still see the dllhost.exe running when I show processes from all users, but it disappears after a second.  Should I be worried about this, or the fact that the folder still exists?

 

Attached Files


Edited by GreaterFuzz, 15 December 2014 - 12:21 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users