Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

dllhost.exe malware [Solved]


  • This topic is locked This topic is locked

#1
Rrtaya_Tsamsiyu

Rrtaya_Tsamsiyu

    Member

  • Member
  • PipPip
  • 16 posts

Problems only occure when connected to the internet.

Edit; now seeing popups even when not connected, but i can end the extra dllhost processes without them coming back when not connected.

 

Multiple instances of dllhost seen running in Task Manager, i'm also having constant Malwarebytes popups.

The popups always say the process is dllhost.exe, type Outbound.

 

i also have url malware blocked by Avast every now and then.

 

Malwarebytes has removed a quite a few things but it hasn't seen anything wrong with dllhost.

 

Seems very similar to what's in this guy's post.

 

Here's my OTL log;

Spoiler

 

Any help is appreciated.


Edited by Rrtaya_Tsamsiyu, 02 October 2014 - 02:19 PM.

  • 0

Advertisements


#2
ruggie_uk

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts

Greetings Rrtaya_Tsamsiyu and :welcome:

My nickname is Ruggie and I will be assisting you in cleaning your computer.
Please be aware I am currently in the final stages of training right now and all my work will be checked by an instructor so there may be a slight delay between posts. The added benefit to this is that you will have 2 sets of eyes looking at your problem so you can be assured you will get the best possible help.

  • Malware removal can be a long process and will at times get complicated with multiple steps to perform to ensure that your system is no longer infected.
  • When we start the process, the list of instructions must be followed closely, it may seem difficult at times but it is important that you stay with me until your computer is declared clean.
  • If you are receiving help elsewhere, please let me know so we can close this thread and help someone else.

stop32.png Before going any further, I recommend that you print out (or save to a file) these guidelines and also the instructions when I post them, as part of the repair process may involve going into safe mode and therefore you will not have internet access.

The following guidelines are important but the ones highlighted in RED are of the highest importance and must not be skipped.

right-grn.pngPlease save all tools to the desktop,. Our tools are updated very regularly, sometimes several times per day so always download the latest version from the links I provide.

right-grn.pngPlease be aware, the fixes we perform are specific to this machine, at this moment in time. They must not be used on another computer or unsupervised at another time. This can render your computer unbootable.

right-grn.pngIf at all possible, Make backups of all your important files, whilst we will do our best to ensure that no files are lost or damaged, sometimes things can go wrong.

right-grn.png I will do everything in my power to ensure that this clean is successful, but occasionally failure hits us all. In this event, please have your original installation disks to hand and be prepared to have to format and reinstall your computer.

right-grn.png Refrain from using any tool that hasn't been instructed as it could alter the process that we are working through and cause further problems. Also only use the tools I instruct in the manner provided as they are very powerful and if not used properly can cause even more problems. It is best if you can avoid using the computer at all, apart from to perform the cleaning steps to ensure that any infections aren't spread.

right-grn.pngPlease stick with me until the end. malware removal is difficult and time consuming. We have to analyse hundreds of lines in log files. This takes time which we give freely so I ask that you do us the courtesy of seeing it through.

right-grn.png Only paste the contents of log files into your reply, DO NOT attach any log files unless requested to do so.

right-grn.png If you have any questions or get stuck, stop and ask....I am here to help you make this go as smoothly as possible.

right-grn.png If you do not reply within 3 days, your topic will be closed. It can be reopened if you ask. But if you plan on being gone for a longer period, just let me know and I will hold it open for you.

Ready? Now lets get to work

 

I am currently looking through your logs and will be back shortly with some fixes for you.


  • 0

#3
ruggie_uk

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts

Hello again :D
Let's get started on clearing you up. I also need to see the extras file that OTL created when it was run. This will be located at C:\Users\Isaiah\Downloads\extras.txt

Step 1

OTL fix

Ensure OTL is located on your desktop. Please move the OTL.exe file from C:\Users\Isaiah\Downloads and place on your desktop.
Right click it and select Run As Administrator.

Copy the text in the following box (do not include the word Quote). To do this, highlight everything
inside the quote box (except the word Quote) , right click and click Copy.
 

:COMMANDS
[createrestorepoint]

:OTL

O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O33 - MountPoints2\{00f9b7b4-ff83-11e2-a04c-b870f481740f}\Shell - "" = AutoRun
O33 - MountPoints2\{00f9b7b4-ff83-11e2-a04c-b870f481740f}\Shell\AutoRun\command - "" = E:\setup.exe -a
O33 - MountPoints2\{94b1eca6-2982-11e1-85c2-b870f481740f}\Shell - "" = AutoRun
O33 - MountPoints2\{94b1eca6-2982-11e1-85c2-b870f481740f}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{ab90041d-0ef5-11e4-a1b1-b870f481740f}\Shell - "" = AutoRun
O33 - MountPoints2\{ab90041d-0ef5-11e4-a1b1-b870f481740f}\Shell\AutoRun\command - "" = E:\VerizonWirelessUpgradeAssistantSetup.exe -a
@Alternate Data Stream - 115 bytes -> C:\ProgramData\Temp:BC359956


:COMMANDS
[resethosts]
[emptytemp]

Next, right click in the box named Custom Scans/Fixes and select paste.

otl-run-fix.jpg

This will insert the code into OTL.

Now click Run Fix

OTL will generate a report when it has finished. Please paste the contents of this report in your next post.

Step 2

Junkware Removal Tool
Please download Junkware Removal Tool to your desktop. << Important

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by right-clicking jrt.png and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 3

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • Vista/7/8 users: Right click the adwcleaner.pngAdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

    AdwScan.jpg?
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove. Please Do Not delete anything at this time.
  • Click the Report button to get the log.
  • Copy and Paste it into your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[R0].txt.
  • Click the X in the upper right corner of the program or click the File menu and click Exit to close the program.

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

Items I need to see in your next post:

  • OTL Fixlog
  • OTL Extras log
  • JRT Log
  • ADWcleaner Scan Log

  • 1

#4
Rrtaya_Tsamsiyu

Rrtaya_Tsamsiyu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts

Thanks for the help:]

Here's the extras file;

Spoiler


i absentmindedly exited out of notepad when the OTL Fix log came up. i havn't been able to find where it saved at, or if it ever saved. sorry

Here's the JRT log;

Spoiler


And here's the ADWCleaner Scan log;
Spoiler

 

sorry i lost the fix log


  • 0

#5
ruggie_uk

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts

Hi, Thanks for the logs you have sent.

 

The OTL file can be found in this location C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).


  • 1

#6
Rrtaya_Tsamsiyu

Rrtaya_Tsamsiyu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts

Thanks, got it.

Spoiler

  • 0

#7
ruggie_uk

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts

Hi there, sorry for the delay. How are things running at the moment? Are you still getting the strange popups?

Step 1

We need to uninstall some programs.

Open Programs and Features by clicking the Start button, clicking Control Panel, clicking Programs, and then clicking Programs and Features.

Select the following programs from the list below, one at a time and click Uninstall.

  • Yontoo 1.10.02
  • McAfee Security Scan Plus

Step 2

Re-run AdwCleaner

Close all open windows and browsers.

  • Right click the adwcleaner.pngAdwCleaner icon, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  • Click the Scan button and wait for the scan to complete.
  • When the Scan has finished the Scan button will be grayed out and the Clean button will be activated.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

Step 3

New OTL Scan

OTLI.gifOTL

  • Ensure OTL is located on your desktop. If it is not, then please download from http://oldtimer.geekstogo.com/OTL.exe and save it to your desktop.
  • Double Click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
  • When the scan completes, it will open a notepad window. OTL.Txt . This is saved in the same location as OTL.
    Please copy (Edit->Select All, Edit->Copy) the contents of this file, and paste it into your reply.

Items I need to see in your next post:

  • Adwcleaner Log
  • OTL log

  • 1

#8
Rrtaya_Tsamsiyu

Rrtaya_Tsamsiyu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts

i uninstalled McAfee, it said it appeared that yontoo was already uninstalled and removed the entry

 

Adwcleaner;

Spoiler

 

And OTL;

Spoiler

 

Thanks again for all the help


  • 0

#9
ruggie_uk

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts

Thats great thanks.

What about the popups? Are they still occuring?


  • 0

#10
Rrtaya_Tsamsiyu

Rrtaya_Tsamsiyu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts

Most of the popups were notifications of things that McAfee was catching, i had disabled the notifications because they were constant.

 

i can tell the problem is still there though by going into task manager and seeing all the extra dllhost processes whenever i'm connected to the internet. i can also tell by seeing how much data my computer is uploading/downloading while not using the internet, and it's still alot more than what it should be


  • 0

Advertisements


#11
ruggie_uk

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts

Hi, is it McAfee or Malwarebytes that is giving the notifications?

I would like you to perform the following steps to get another look at what is going on.


Step 1

Run Malwarebytes' Anti-Malware

  • Start Malwarebytes
  • Now select the Settings tab, and check the box next to Scan for rootkits:
    MBAM3_zps83324155.png
  • Go back to the Dashboard tab, and click the Scan Now button:
    MBAM4_zpse3cd4a79.png
  • The scan may take some time to finish,so please be patient.
    MBAM5_zps36d7537b.png
  • When the scan is complete, it will show you the results. (This one is clean):
    MBAM65_zpsb0aa143c.png
  • If threats are detected, click the Apply Actions button.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note below) If the log doesn't open, select View detailed log in the Scan tab:
    MBAM7_zps782405f0.png
  • The log is automatically saved by MBAM and can be viewed by going to the History tab and clicking on Application Logs:
    MBAM9_zps1f87702b.png
  • Choose the latest Scan Log, and click on the View button:
    MBAM10_zps5a48f689.png
  • In the bottom of the Scanning History Log window that opens, you can click on Export > Save to Text file (*.txt). Save the report to your Desktop.
    MBAM8_zpsad402941.png
  • Copy & Paste the entire contents of the report log in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

*** In your next reply, I need you to Copy&Paste the contents of the MBAM log file.


Step 2

Please run a free online scan with the ESET Online Scanner
<< Please disable any existing anti virus product before performing the following. >>

  • Click Run Eset Online Scanner

Runscan.png


Note: You will need to use Internet Explorer or Firefox (You will be prompted to install a helper program if you use firefox)for this scan.
Important: Please disable your existing AV software for the duration of the scan. If you need instructions on how to disable it, please check out this site: http://www.bleepingc...lware-programs/

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Enable detection of potentially unwanted applications is checked
  • Next click on Advanced Settings and select:

eset-selections.png

  • Make sure that the option Remove found threats is NOT checked
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

eset-selections.png

  • Click Start, the virus database will update, this may take a while depending on your internet connection.
  • Once updated, the online scan will begin. (This scan can take several hours, so please be patient)
  • Once the scan is completed, click Finish
  • Use Notepad to open the logfile located at C:\Program Files (x86)\Eset\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Items I need to see in your next post:

  • Malwarebytes Log
  • ESET Scan Log

  • 0

#12
Rrtaya_Tsamsiyu

Rrtaya_Tsamsiyu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts

Sorry, it was Malwarebytes giving them, got the names mixed up. i renabled notifications, it's still catching stuff.

Also, saw a Avast popup, this time it was a file called svchost trying to connect to the internet. Most of the connections that are caught are from dllhost.

 

i did the Malwarebytes scan, i'll have to wait until Sunday to do the ESET scan though. i'm almost out of data for this month due to those files trying to connect.

 

Here's the malwarebytes scan;

Spoiler

 

Edit; i was planning on using the internet at church to do the scan, since it's unlimited, but wasn't able to go. i'll do the scan as soon as i can, it might be another week though.


Edited by Rrtaya_Tsamsiyu, 13 October 2014 - 02:45 PM.

  • 0

#13
ruggie_uk

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts

No problem. :D


  • 0

#14
ruggie_uk

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts
Hi. Don't worry about the ESET Scan.
Lets try a log from another diagnostic tool that is very powerful.
It's a very small download (2.01MB) so you may have more luck getting it. But don't worry, do it when you are able.

Initial FRST Scan

Please download Farbar Recovery Scan Tool 64 bit and save it to your Desktop.
  • Right click frst.png to run as administrator. When the tool opens click Yes to the disclaimer.
  • Ensure that the following are ticked as in the image below

    Drivers MD5
    Addition.txt
    frst-addition.png
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • This will also generate another log (Addition.txt - also located in the same directory as FRST64.exe). Please also paste that along with the FRST.txt into your reply.
Items I need to see in your next post:
  • FRST.txt
  • Addition.txt

  • 1

#15
Rrtaya_Tsamsiyu

Rrtaya_Tsamsiyu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts

Sorry for the late reply. If you want, i'll be able to do the ESET scan anytime from now until Sunday afternoon when i go home.

Here's the FRST;

Spoiler

 

And the Addition;

Spoiler


Edited by Rrtaya_Tsamsiyu, 17 October 2014 - 05:26 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP