Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing dllhost.exe *32 com surrogate


  • Please log in to reply
9 replies to this topic

#1 myrmyd

myrmyd

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 14 April 2015 - 05:19 PM

I have just found the problem dllhost.ext *32 com surrogate on my Windows 7 Home Dell XPS laptop.  It has shut off my avast (free) antivirus.  When I went into safe mode and tried to run Malware Bytes, task manager showed malware was running as malware *32.  When I tried to scan using my Avast in safe mode, it said it couldn't scan because there were no previous points, and Avast was listed by task manager as Avast *32.   Please help.


Edited by hamluis, 14 April 2015 - 05:20 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 14 April 2015 - 06:26 PM

Download Malwarebytes Anti-Rootkit to your desktop.

  • Double-click the icon to start the tool.
  • It will ask you where to extract make sure it is on the desktop.
  • Malwarebytes Anti-Rootkit needs to be run from an account with admin rights.
  • Click next to continue.
  • Then Click Update
  • Once the update is Finished select Next then Scan.
  • If no malware has been found, at the end of scan select Exit
  • If an infection was found, make sure to select all items and click Cleanup.
  • Reboot your machine.
  • Open the MBAR folder and paste the content of the following into your next reply:
  • mbar-log-{date} (xx-xx-xx).txt
  • system-log.txt

[/*]



#3 buddy215

buddy215

  • BC Advisor
  • 12,605 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:13 AM

Posted 14 April 2015 - 06:43 PM

Poweliks is the problem. Use Eset Poweliks Cleaner to remove. If you can't download it you will need to use another computer

and download to a flash drive or other external medium and then transfer to the infected computer. Of course, there will be other

malware and adware that poweliks has allowed. We'll help you with that after poweliks is removed.

 

Please download Powelikscleaner (by ESET) and save it to your Desktop.

  • Double-click ESETPoweliksCleaner.exe to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
  • Please let me know if poweliks was found and removed as shown in bottom image.

1.png
2.png


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#4 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 14 April 2015 - 07:02 PM

Malwarebytes anti rootkit will remove poweliks. :)



#5 myrmyd

myrmyd
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 14 April 2015 - 08:16 PM

POST ONE OF TWO!  PLEASE READ BOTH POSTS TO TELL ME WHAT TO DO NEXT.

I made the decision to do what InadequateInfirmity told me to do since that reply was first and also was followed up.  I downloaded mbar and installed on desktop.  I got this message and clicked "yes".  Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity.  Note: Press "No" button if you're not sure.  If the tool crashes or terminates unexpectedly during a system scan, restart the tool and press "Yes" should this message appear again.  Do you want to remove this value and restart the tool?  Yes No.

 

I selected yes and had to restart the tool.  It found no malware. 

 

I shoved that installation and its download file into a folder, rebooted the computer and started over.  This time when I got the above message, I selected "No."  But I got the same result in the end - it found no malware.

 

I checked Task Manager during both of the above and found that mbar was listed there as mbar *32 which makes me think the poweliks may be blocking the mbar in some way.

 

I don't want to try buddy215's fix until I get a confirmation that I should.  So appreciate the help!

 

I wasn't sure whether to post anything since it said it found no malware.  I haven't rebooted again yet, so I will do another reply in a few minutes and check those mbar folders to see if there is anything to post and will put it in my next post.



#6 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 14 April 2015 - 08:21 PM

Yes go ahead with the poweliks cleaner tool from eset. :)



#7 myrmyd

myrmyd
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 14 April 2015 - 08:33 PM

Ok.  Not posting mbar logs unless told to do so.  I downloaded the poweliks cleaner tool from eset.  It looks like the top picture in buddy215's post except that it says "Threat Not Found"  "You don't have Win32/Poweliks in your system."  It gave that result instantly.  It didn't take any time to run a scan that I noticed.  The poweliks cleaner tool's listing in Task Manager is followed by *32.  I also see a process NDSPCShowSeerver.exe *32 running that worries me.  I have several processes that are followed by the *32.



#8 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 14 April 2015 - 08:47 PM

Lets have you run a couple of tools before I send you to get more advanced help.

 

 

 

 

Download and save ZHP Cleaner to your desktop.

http://www.nicolascoolman.fr/download/zhpcleaner-2/

Right Click and run as administrator.

Click on the Repair button.

At the end of the process you will be asked to reboot your machine.

After you reboot a report will open on your desktop.

Copy and paste the report here in your next reply.

 

 

Run a full scan with Zemana antimalware.

http://www.zemana.us/product/zemana-antimalware/default.aspx

Install and select deep scan.

jdmyscF.jpg

Remove any infections found.

Then click on the icon in the pic below.

DOLGyto.jpg

Double click on the scan log, copy and paste here in your reply.



#9 myrmyd

myrmyd
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:13 AM

Posted 14 April 2015 - 09:51 PM

PART 1 ZHP.  I downloaded, ran, but was not asked to reboot.  I rebooted anyway and here is the log ZHP created.

~ ZHPCleaner v2015.4.15.168 by Nicolas Coolman (14/04/2015)
~ Run by Brenda (Administrator)  (14/04/2015 21:51:22)
~ Forum : http://forum.nicolascoolman.fr
~ Facebook : https://www.facebook.com/nicolascoolman1
~ State version : Version OK
~ Type : Repair
~ Report : C:\Users\Brenda\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\Brenda\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Activate
~ Boot Mode : Normal (Normal boot)
~ Windows 7, 64-bit Service Pack 1 (Build 7601)


---\\  Services (0)
~ No malicious items found.


---\\  Browser internet (1)
DELETED: [4sqeq8il.default] - user_pref("browser.newtabpage.blocked", "{\"6jnYTtldX0+sDeeaLqubnw==\":1,\"z2G5Ci0VncUs+qmVIsIkeg==\[...] (PUP.Deeal)


---\\  Hosts file (1)
~ The hosts file is legitimate (21)


---\\  Scheduled automatic tasks. (0)
~ No malicious items found.


---\\  Explorer ( File, Folder) (1)
MOVED folder: C:\Users\Brenda\AppData\Local\PackageAware (PUP.BearShare)


---\\  Registry ( Key, Value, Data) (0)
~ No malicious items found.


---\\ Result of repair
~ Repair carried out successfully
~ Browser not found (Opera Software)


---\\ Statistics
~ Items scanned : 68825
~ Items found : 0
~ Items repaired : 2


End of clean at 21:57:34
===================
ZHPCleaner-[R]-14042015-21_57_34.txt
 

PART 2: Zemana downloaded and ran.  It only found mirc, which I let it quarantine.  Here's the log:

Zemana AntiMalware 2.10.2.18 (Installed)
-------------------------------------------------------
Scan Result           : Completed
Scan Date             : 2015/4/14
Operating System      : Windows 7 64-bit
Processor             : 8X Intel® Core™ i7-2630QM CPU @ 2.00GHz
BIOS Mode             : Legacy
CUID                  : 00A07790A78D7946410906
Scan Type             : Deep Scan
Duration              : 37m 38s
Scanned Objects       : 113691
Detected Objects      : 1
Excluded Objects      : 0
Read Level            : SCSI
Auto Upload           : Yes
Show All Extensions   : No
Scan Documents        : Yes
Engines               : Zemana, Avira, Eset, Bitdefender, AVG, Kaspersky


Detected Objects
-------------------------------------------------------
mirc617.exe
   Status             : Scanned
   Object             : %userprofile%\documents\brenda\tech_rep\mirc617.exe
   MD5                : AFD7B6331B404F8336EBEB8FA0F9B096
   Publisher          : -
   Size               : 1351680
   Version            : 6.1.7.0
   Detections         : Kaspersky: not-a-virus:Client-IRC.Win32.mIRC.617
   Cleaning Action    : Quarantine
   Traces             :
                File - %userprofile%\documents\brenda\tech_rep\mirc617.exe


Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0
Failed                : 0
 

 

Thank you very much for your help.



#10 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 15 April 2015 - 03:45 AM

I am assuming the issue is the same, start a new thread in the virus and spyware removal area.

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

 

Make sure and post both the FRST and Addition.txt in your new thread.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users