Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem with dllhost.exe (COM Surrogate)


  • Please log in to reply
30 replies to this topic

#1 TRG9386

TRG9386

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 02 July 2015 - 08:21 AM

Over the past couple of weeks I've been noticing a couple of odd symptoms that might be related. First, I am having trouble opening file folders in my desktop or even accessing file folders through the "Windows Explorer" or "My Computer." If I reboot the computer, it solves the problem temporarily, but it always returns.   Also, when I open up my Windows Task Manager, I often notice that the dllhost.exe seems to be consuming a large amount of memory in the Processes section (typically over 260,000 K). I have never seen this happen until recently From what I understand, the SOM Surrogate has some bearing on folder thumbnails, so I would guess these various issues are related. I am by no means an expert, so any help would be greatly appreciated!


Edited by hamluis, 02 July 2015 - 10:01 AM.
Moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:25 AM

Posted 02 July 2015 - 11:04 AM

Hello,

This sounds like a Poweliks infection. Let's see if this will get rid of the problem.

ESET Poweliks Cleaner
logo.png
Please download Powelikscleaner (by ESET) and save it to your Desktop.
  • Double-click ESETPoweliksCleaner.exe to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
  • The tool will produce a log in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
1.png
2.png

Regards,
Alex

#3 TRG9386

TRG9386
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 02 July 2015 - 06:49 PM

Hi Alex and thanks for the help! I ran the test and it came up negative. However, I am having trouble attaching the log because the forum says the message is "too long." Is there any way to upload the .txt as an attachment?



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:25 AM

Posted 02 July 2015 - 06:52 PM

If the tool says Poweliks isn't found then no need to upload the log.

Let's see what else we can dig up...

MiniToolbox by Farbar

Avast users please disable your antivirus before downloading!
Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
  • List Restore Points
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

===

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
  • Click on Scan to be taken to the scan options. If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
  • Click on the Malware Scan button to start the scan.
  • When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop, and attach it to your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
Regards,
Alex

#5 TRG9386

TRG9386
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 02 July 2015 - 07:03 PM

MiniToolBox log:

 

MiniToolBox by Farbar  Version: 01-07-2015
Ran by Home (administrator) on 02-07-2015 at 19:57:30
Running from "C:\Users\Home\Desktop"
Microsoft Windows 7 Home Premium   (X64)
Model: Inspiron 1545 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ============================== 
 
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
========================= Hosts content: =================================
 
127.0.0.1       localhost
 
========================= IP Configuration: ================================
 
Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller = Local Area Connection (Connected)
Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64 = Local Area Connection 2 (Hardware not present)
Dell Wireless 1397 WLAN Mini-Card = Wireless Network Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
set interface interface="Local Area Connection 2" forwarding=enabled advertise=enabled metric=1 nud=enabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : hsd1.ct.comcast.net.
 
Wireless LAN adapter Wireless Network Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
   Physical Address. . . . . . . . . : 78-E4-00-C8-90-25
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wireless Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hil-miabvhx.mia.wayport.net
   Description . . . . . . . . . . . : Dell Wireless 1397 WLAN Mini-Card
   Physical Address. . . . . . . . . : 78-E4-00-C8-90-25
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : hsd1.ct.comcast.net.
   Description . . . . . . . . . . . : Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
   Physical Address. . . . . . . . . : A4-BA-DB-A1-93-DD
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:558:6017:a8:616a:ef4b:d6da:abe6(Preferred) 
   Lease Obtained. . . . . . . . . . : Thursday, July 02, 2015 6:50:50 PM
   Lease Expires . . . . . . . . . . : Monday, July 06, 2015 6:50:50 PM
   Link-local IPv6 Address . . . . . : fe80::c00a:7940:30fd:b59f%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 73.4.95.102(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Lease Obtained. . . . . . . . . . : Thursday, July 02, 2015 6:50:47 PM
   Lease Expires . . . . . . . . . . : Monday, July 06, 2015 8:31:16 AM
   Default Gateway . . . . . . . . . : fe80::5257:a8ff:fe89:b0e2%11
                                       73.4.92.1
   DHCP Server . . . . . . . . . . . : 69.252.65.133
   DHCPv6 IAID . . . . . . . . . . . : 250629538
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-10-A3-5A-F0-4D-A2-82-6B-51
   DNS Servers . . . . . . . . . . . : 2001:558:feed::1
                                       2001:558:feed::2
                                       75.75.75.75
                                       75.75.76.76
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.hil-miabvhx.mia.wayport.net:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.hsd1.ct.comcast.net.:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hsd1.ct.comcast.net.
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.{35130696-A084-406D-AF2D-E3682B126F25}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  cdns01.comcast.net
Address:  2001:558:feed::1
 
Name:    google.com
Addresses:  2607:f8b0:4006:80e::200e
 74.125.226.68
 74.125.226.69
 74.125.226.67
 74.125.226.71
 74.125.226.73
 74.125.226.66
 74.125.226.70
 74.125.226.64
 74.125.226.65
 74.125.226.78
 74.125.226.72
 
 
Pinging google.com [2607:f8b0:4006:808::100e] with 32 bytes of data:
Reply from 2607:f8b0:4006:808::100e: time=469ms 
Reply from 2607:f8b0:4006:808::100e: time=27ms 
 
Ping statistics for 2607:f8b0:4006:808::100e:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 27ms, Maximum = 469ms, Average = 248ms
Server:  cdns01.comcast.net
Address:  2001:558:feed::1
 
Name:    yahoo.com
Addresses:  2001:4998:c:a06::2:4008
 2001:4998:58:c02::a9
 2001:4998:44:204::a7
 98.138.253.109
 98.139.183.24
 206.190.36.45
 
 
Pinging yahoo.com [2001:4998:44:204::a7] with 32 bytes of data:
Reply from 2001:4998:44:204::a7: time=93ms 
Reply from 2001:4998:44:204::a7: time=73ms 
 
Ping statistics for 2001:4998:44:204::a7:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 73ms, Maximum = 93ms, Average = 83ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms
===========================================================================
Interface List
 14...78 e4 00 c8 90 25 ......Microsoft Virtual WiFi Miniport Adapter
 12...78 e4 00 c8 90 25 ......Dell Wireless 1397 WLAN Mini-Card
 11...a4 ba db a1 93 dd ......Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
  1...........................Software Loopback Interface 1
 19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        73.4.92.1      73.4.95.102     20
        73.4.92.0    255.255.252.0         On-link       73.4.95.102    276
      73.4.95.102  255.255.255.255         On-link       73.4.95.102    276
      73.4.95.255  255.255.255.255         On-link       73.4.95.102    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       73.4.95.102    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       73.4.95.102    276
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 11    276 ::/0                     fe80::5257:a8ff:fe89:b0e2
  1    306 ::1/128                  On-link
 11    276 2001:558:6017:a8:616a:ef4b:d6da:abe6/128
                                    On-link
 11    276 fe80::/64                On-link
 11    276 fe80::c00a:7940:30fd:b59f/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
 
Catalog5 04 C:\Windows\SysWOW64\nwprovau.dll [] ()
Catalog5 05 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 12 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 13 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 14 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 15 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 16 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 17 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 18 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 19 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 20 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 21 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 22 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 23 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 24 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 25 C:\Windows\SysWOW64\rsvpsp.dll [File not found] ()
Catalog9 26 C:\Windows\SysWOW64\rsvpsp.dll [File not found] ()
Catalog9 27 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 28 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 29 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 mswsock.dll [File Not found] (Microsoft Corporation)
ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
 
x64-Catalog5 02 mswsock.dll [File Not found] (Microsoft Corporation)
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
 
x64-Catalog5 03 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 04 mswsock.dll [File Not found] (Microsoft Corporation)
x64-Catalog9 05 mswsock.dll [File Not found] (Microsoft Corporation)
x64-Catalog9 06 mswsock.dll [File Not found] (Microsoft Corporation)
x64-Catalog9 07 mswsock.dll [File Not found] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (07/02/2015 07:58:24 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -583.
 
Error: (07/02/2015 07:58:24 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -583.
 
Error: (07/02/2015 07:58:23 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -583.
 
Error: (07/02/2015 07:58:23 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -583.
 
Error: (07/02/2015 07:58:23 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -583.
 
Error: (07/02/2015 07:58:23 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -583.
 
Error: (07/02/2015 07:58:23 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -583.
 
Error: (07/02/2015 07:58:23 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -583.
 
Error: (07/02/2015 07:58:18 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -583.
 
Error: (07/02/2015 07:58:18 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -583.
 
 
System errors:
=============
Error: (07/02/2015 07:57:05 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 20 time(s).
 
Error: (07/02/2015 07:57:05 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with service-specific error %%-2147217025.
 
Error: (07/02/2015 07:56:20 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 19 time(s).
 
Error: (07/02/2015 07:56:20 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with service-specific error %%-2147217025.
 
Error: (07/02/2015 07:50:10 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 18 time(s).
 
Error: (07/02/2015 07:50:10 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with service-specific error %%-2147217025.
 
Error: (07/02/2015 07:30:38 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 17 time(s).
 
Error: (07/02/2015 07:30:38 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with service-specific error %%-2147217025.
 
Error: (07/02/2015 07:26:12 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 16 time(s).
 
Error: (07/02/2015 07:26:12 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with service-specific error %%-2147217025.
 
 
Microsoft Office Sessions:
=========================
Error: (07/02/2015 07:58:24 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: -583
 
Error: (07/02/2015 07:58:24 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: -583
 
Error: (07/02/2015 07:58:23 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: -583
 
Error: (07/02/2015 07:58:23 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: -583
 
Error: (07/02/2015 07:58:23 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: -583
 
Error: (07/02/2015 07:58:23 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: -583
 
Error: (07/02/2015 07:58:23 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: -583
 
Error: (07/02/2015 07:58:23 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: -583
 
Error: (07/02/2015 07:58:18 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: -583
 
Error: (07/02/2015 07:58:18 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: -583
 
 
CodeIntegrity Errors:
===================================
  Date: 2011-09-06 22:59:21.176
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2011-09-06 22:59:21.082
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2011-09-05 00:19:50.779
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2011-09-05 00:19:50.701
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
=========================== Installed Programs ============================
 
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.239 - Adobe Systems Incorporated)
Adobe Reader 9.5.2 (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.2 - Adobe Systems Incorporated)
Advanced Audio FX Engine (HKLM-x32\...\Advanced Audio FX Engine) (Version: 1.12.05 - Creative Technology Ltd)
Apple Application Support (HKLM-x32\...\{A83279FD-CA4B-4206-9535-90974DE76654}) (Version: 2.1.5 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{75104836-CAC7-444E-A39E-3F54151942F5}) (Version: 4.0.0.97 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Banctec Service Agreement (HKLM-x32\...\{42D68A86-DB1C-4256-B8C9-5D0D92919AF5}) (Version: 2.0.0 - Dell Inc.)
BlogDesk 2.8 (HKLM-x32\...\BlogDesk_is1) (Version: 2.8 - BlogDesk)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Cedocida DV Codec (32 Bit and 64 Bit) (HKLM\...\cedocida) (Version:  - )
Cisco AnyConnect Secure Mobility Client  (HKLM-x32\...\Cisco AnyConnect Secure Mobility Client) (Version: 3.1.04072 - Cisco Systems, Inc.)
Cisco AnyConnect Secure Mobility Client (HKLM-x32\...\{8EC376A3-F279-47D7-97AA-7BA2A2EB006E}) (Version: 3.1.04072 - Cisco Systems, Inc.) Hidden
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
Comcast Desktop Software (v1.2.0.9) (HKLM-x32\...\{CEF7211D-CE3A-44C4-B321-D84A2099AE94}) (Version: 23 - Comcast)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6514.5001 - Microsoft Corporation)
Cozi (HKLM-x32\...\{2DA5F129-11AC-4F11-8188-B2F07EAAC20A}) (Version: 1.0.4323.24051 - Cozi Group, Inc.)
Dell DataSafe Local Backup - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version:  - Dell)
Dell DataSafe Local Backup (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 9.4.40 - Dell)
Dell DataSafe Online (HKLM-x32\...\{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}) (Version: 1.2.0011 - Dell, Inc.)
Dell Dock (HKLM\...\{C73A3942-84C8-4597-9F9B-EE227DCBA758}) (Version: 2.0 - Stardock Corporation) Hidden
Dell Dock (HKLM-x32\...\Dell Dock) (Version:  - Stardock Corporation)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Dell Getting Started Guide (HKLM-x32\...\{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}) (Version: 1.00.0000 - Dell Inc.)
Dell Support Center (Support Software) (HKLM-x32\...\{E3BFEE55-39E2-4BE0-B966-89FE583822C1}) (Version: 2.5.09100 - Dell)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1107.115.102 - ALPS ELECTRIC CO., LTD.)
Dell Webcam Central (HKLM-x32\...\Dell Webcam Central) (Version: 1.40.05 - Creative Technology Ltd)
Dell Wireless WLAN Card Utility (HKLM\...\Dell Wireless WLAN Card Utility) (Version: 5.30.21.0 - Dell Inc.)
Desktop Doctor (HKLM-x32\...\{D87149B3-7A1D-4548-9CBF-032B791E5908}) (Version: 2.5.5 - Comcast)
DHTML Editing Component (HKLM-x32\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation)
DivX Setup (HKLM-x32\...\DivX Setup.divx.com) (Version: 2.1.2.2 - DivX, Inc. )
doPDF 7.2 printer (HKLM\...\doPDF 7 printer_is1) (Version:  - Softland)
Google Chrome (HKCU\...\Google Chrome) (Version: 43.0.2357.130 - Google Inc.)
GoToAssist Corporate (HKLM-x32\...\GoToAssist) (Version: 9.1.0.615 - Citrix Online, a division of Citrix Systems, Inc.)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1994 - Intel Corporation)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - Intel Corporation)
iTunes (HKLM\...\{6CFB1B20-ECAE-488F-9FFB-6AD420882E71}) (Version: 10.5.1.42 - Apple Inc.)
Java 8 Update 40 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418040F0}) (Version: 8.0.400 - Oracle Corporation)
Java 8 Update 40 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)
JFK Reloaded 1.1 (HKLM-x32\...\JFK Reloaded) (Version: 1.1 - JFK Reloaded)
Junk Mail filter update (HKLM-x32\...\{E2DFE069-083E-4631-9B6C-43C48E991DE5}) (Version: 14.0.8089.726 - Microsoft Corporation) Hidden
Live! Cam Avatar Creator (HKLM-x32\...\{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}) (Version: 4.6.3009.1 - Creative Technology Ltd)
LoJack Factory Installer (HKLM-x32\...\{40F4FF7A-B214-4453-B973-080B09CED019}) (Version: 1.0.0 - Absolute Software)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
McAfee SecurityCenter (HKLM-x32\...\MSC) (Version: 14.0.1076 - McAfee, Inc.)
McAfee WebAdvisor (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.0.316 - McAfee, Inc.)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Standard Edition 2003 (HKLM-x32\...\{91120409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.5614.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20125.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Sync Framework Runtime Native v1.0 (x86) (HKLM-x32\...\{8A74E887-8F0F-4017-AF53-CBA42211AAA5}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Sync Framework Services Native v1.0 (x86) (HKLM-x32\...\{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{052bac4a-6f79-46d4-a024-1ce1b4f73cd4}) (Version: 8.0.58299 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Mozilla Firefox 33.1.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 33.1.1 (x86 en-US)) (Version: 33.1.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 33.1.1 - Mozilla)
OpenTTD 1.4.3 (HKLM-x32\...\OpenTTD) (Version: 1.4.3 - OpenTTD)
PowerDVD DX (HKLM-x32\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 8.3.6029 - CyberLink Corp.)
POWERPREP II (HKLM-x32\...\{2687340C-C114-47DC-9F0E-C1BA85FEB001}) (Version: 1.00.0000 - ETS)
Quickset64 (HKLM\...\{87CF757E-C1F1-4D22-865C-00C6950B5258}) (Version: 9.6.6 - Dell Inc.)
QuickTime (HKLM-x32\...\{7BE15435-2D3E-4B58-867F-9C75BED0208C}) (Version: 7.71.80.42 - Apple Inc.)
Roxio Burn (HKLM-x32\...\{B2E47DE7-800B-40BB-BD1F-9F221C3AEE87}) (Version: 1.01 - Roxio)
Skype Toolbars (HKLM-x32\...\{981029E0-7FC9-4CF3-AB39-6F133621921A}) (Version: 1.0.4036 - Skype Technologies S.A.)
Skype™ 6.22 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.22.106 - Skype Technologies S.A.)
Speccy (HKLM\...\Speccy) (Version: 1.19 - Piriform)
Spelling Dictionaries Support For Adobe Reader 9 (HKLM-x32\...\{AC76BA86-7AD7-5464-3428-900000000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
VC80CRTRedist - 8.0.50727.4053 (HKLM-x32\...\{5EE7D259-D137-4438-9A5F-42F432EC0421}) (Version: 1.1.0 - DivX, Inc) Hidden
VLC media player 1.1.5 (HKLM-x32\...\VLC media player) (Version: 1.1.5 - VideoLAN)
WildTangent Games (HKLM-x32\...\WildTangent dell Master Uninstall) (Version: 1.0.0.71 - WildTangent)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8089.0726 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM-x32\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}) (Version: 14.0.8089.726 - Microsoft Corporation)
Windows Live Upload Tool (HKLM-x32\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
WinRAR archiver (HKLM-x32\...\WinRAR archiver) (Version:  - )
Yahoo! Detect (HKLM-x32\...\YTdetect) (Version:  - )
 
========================= Devices: ================================
 
Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: vpnva
Device ID: ROOT\NET\0000
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 71%
Total physical RAM: 3032.36 MB
Available physical RAM: 853.09 MB
Total Virtual: 6062.87 MB
Available Virtual: 2859.7 MB
 
========================= Partitions: =====================================
 
1 Drive c: (OS) (Fixed) (Total:283.4 GB) (Free:12.62 GB) NTFS
3 Drive e: (New Volume) (Fixed) (Total:167.67 GB) (Free:167.57 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\PC
 
Administrator            Home                   Guest                    
 
========================= Minidump Files ==================================
 
C:\Windows\Minidump\042714-97017-01.dmp
C:\Windows\Minidump\051114-96861-01.dmp
C:\Windows\Minidump\083011-23056-01.dmp
C:\Windows\Minidump\083111-46893-01.dmp
C:\Windows\Minidump\090111-18033-01.dmp
C:\Windows\Minidump\090111-18423-01.dmp
C:\Windows\Minidump\090211-17487-01.dmp
C:\Windows\Minidump\090311-18142-01.dmp
C:\Windows\Minidump\090411-20638-01.dmp
C:\Windows\Minidump\090811-18751-01.dmp
C:\Windows\Minidump\100513-35427-01.dmp
========================= Restore Points ==================================
 
02-06-2015 07:08:27 Scheduled Checkpoint
14-06-2015 11:15:40 Scheduled Checkpoint
 
**** End of log ****


#6 TRG9386

TRG9386
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 02 July 2015 - 08:26 PM

I ran the other scan but it won't let me post the log because it says it has "too many emoticons." Any way around that?



#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:25 AM

Posted 03 July 2015 - 01:18 AM

This error is caused when there are a lot of detections by the BitDefender engine in EEK.

To solve this, you can format the contents of the log in code form - there is a button with two blue brackets on the toolbar above the reply area that will format your reply in a codebox.

#8 TRG9386

TRG9386
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 03 July 2015 - 01:42 AM

Emsisoft Emergency Kit - Version 10.0
Last update: 7/2/2015 8:22:38 PM
User account: PC\Home

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:	7/2/2015 8:25:00 PM
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR 	detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR 	detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR 	detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD 	detected: Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-21-928494432-4049917150-840380829-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD 	detected: Setting.DisableCMD (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS 	detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS 	detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS 	detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN 	detected: Setting.NoRun (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN 	detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN 	detected: Setting.NoRun (A)
Key: HKEY_USERS\S-1-5-21-928494432-4049917150-840380829-1000\SOFTWARE\YAHOOPARTNERTOOLBAR 	detected: Application.Win32.YTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AU__RASAPI32 	detected: Application.Win32.InstallExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AU__RASMANCS 	detected: Application.Win32.InstallExt (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS 	detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS 	detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS 	detected: Setting.NoFolderOptions (A)
C:\Users\Home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HS8HXIZ5\wajam_validate[1].exe 	detected: Application.InstallAd (A)
C:\Users\Home\AppData\Local\Temp\plugtmp-10\plugin-lpdf.php -> (INFECTED_JS) 	detected: PDF:Exploit.JS.K (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-10\plugin-lpdf.php -> (TIFF) 	detected: Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-10\plugin-lpdf.php -> (TIFF) 	detected: Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-15\plugin- -> (TIFF) 	detected: Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-13\plugin-lpdf.php -> (JAVASCRIPT) 	detected: Exploit.PDF-JS.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-13\plugin-lpdf.php -> (INFECTED_JS) 	detected: PDF:Exploit.JS.AC (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-13\plugin-lpdf.php -> (TIFF) 	detected: Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-13\plugin-lpdf.php -> (TIFF) 	detected: Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-15\plugin- -> (TIFF) 	detected: Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-1\plugin- -> (JAVASCRIPT) 	detected: Exploit.PDF-JS.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-1\plugin- -> (TIFF) 	detected: Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-1\plugin- -> (TIFF) 	detected: Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-4\plugin-lpdf.php -> (INFECTED_JS) 	detected: PDF:Exploit.PDF-JS.ABI (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-4\plugin-lpdf.php -> (TIFF) 	detected: Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-4\plugin-lpdf.php -> (TIFF) 	detected: Exploit.TIFF.Gen (B)

Scanned	112883
Found	33

Scan end:	7/2/2015 9:16:57 PM
Scan time:	0:51:57

C:\Users\Home\AppData\Local\Temp\plugtmp-4\plugin-lpdf.php	Quarantined Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-1\plugin-	Quarantined Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-15\plugin-	Quarantined Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-13\plugin-lpdf.php	Quarantined Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Temp\plugtmp-10\plugin-lpdf.php	Quarantined Exploit.TIFF.Gen (B)
C:\Users\Home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HS8HXIZ5\wajam_validate[1].exe	Quarantined Application.InstallAd (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS	Quarantined Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS	Quarantined Setting.NoFolderOptions (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AU__RASMANCS	Quarantined Application.Win32.InstallExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AU__RASAPI32	Quarantined Application.Win32.InstallExt (A)
Key: HKEY_USERS\S-1-5-21-928494432-4049917150-840380829-1000\SOFTWARE\YAHOOPARTNERTOOLBAR	Quarantined Application.Win32.YTool (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN	Quarantined Setting.NoRun (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN	Quarantined Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS	Quarantined Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS	Quarantined Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-928494432-4049917150-840380829-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD	Quarantined Setting.DisableCMD (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD	Quarantined Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR	Quarantined Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR	Quarantined Setting.DisableTaskMgr (A)

Quarantined	19



#9 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:25 AM

Posted 03 July 2015 - 03:01 AM

Hi there,

Download CCleaner and use it to clean out your temporary files.

Update Malwarebytes Anti-Malware and run a Threat Scan for me, then post the log here. You can find it in History => Application Logs.

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
After that we will need to address Windows Update - it looks broken.

Regards,
Alex

#10 TRG9386

TRG9386
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 03 July 2015 - 04:13 AM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/3/2015
Scan Time: 4:30 AM
Logfile: log1.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.07.03.01
Rootkit Database: v2015.07.01.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7
CPU: x64
File System: NTFS
User: Home

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 416410
Time Elapsed: 38 min, 25 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


#11 TRG9386

TRG9386
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 03 July 2015 - 04:27 PM

ESET Online Scanner did not find anything.



#12 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:25 AM

Posted 03 July 2015 - 04:37 PM

How is the computer running?

Just FYI, one or two dllhost.exe at a time is normal since it is a legit system file. It is when there are tons of those processes then we got a problem.

Regards,
Alex

#13 TRG9386

TRG9386
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 03 July 2015 - 05:07 PM

Things are running much better at the moment. Is it abnormal for the memory usage of a single dllhost.exe process to exceed 260,000 K? At least for the moment that problem seems to have resolved itself; I am no longer even seeing dllhost.exe at all in the task manager.



#14 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:25 AM

Posted 03 July 2015 - 05:11 PM

It can be, if *something* is using the process for malicious purposes.

Just to check, please open an elevated Command Prompt, type in sfc /scannow and press Enter. Let me know if anything is found or not.

Your EEK log indicates that the Malware Scan took nearly an hour to complete... how old is this hard drive?

#15 TRG9386

TRG9386
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 03 July 2015 - 06:25 PM

Scan is complete and says that Windows Protection "found corrupt files but was not able to fix some of them." It then says to refer to the log at C:\Windows\Logs\CBS\CBS.log. When I try to open it, access is denied.

 

The HD was installed/replaced in January 2013, I believe. The original one failed, so I cloned it on to the current one.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users