Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92790 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Powershell spawning DLLHOST.exe *32 Comm Surrogate [Solved]


  • This topic is locked This topic is locked
7 replies to this topic

#1 GeeksOnTime

GeeksOnTime

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 16 November 2014 - 02:51 PM

I am a PC tech but not afraid to admit when I need help. I have a computer running windows Vista that is displaying multiple instances of the DLLhost 32. The %temp% folder had 25gb of files in it. It looks like the DLL is used to click on internet ads.

 

Panda antivirus is not catching it. I have looked at several removal procedures If found in different forums but they seem to fall apart. My guess is they were not written with vista in mind. I would greatly appreciate any advice you can offer and have uploaded the customary farbar scan

 

Attached File  FRST.txt   43.88KB   114 downloads


    Advertisements

Register to Remove


#2 ----------------

----------------

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,095 posts

Posted 17 November 2014 - 05:06 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 

 

 

Please post the addition.txt by FRST as well!

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 

#3 GeeksOnTime

GeeksOnTime

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 18 November 2014 - 12:57 PM

I am attaching a fresh FRST Scan with the addition.txt the other scan is still running after 20 hours. I chose to scan the C: drive and the trojan has created gigabytes of temporary internet files even after I deleted them manually. I rarely chose quick scans out of fear they miss something. However, Would you like me to allow the full scan to finish or cancel it and run a quick scan?

 

Attached File  Addition.txt   34.47KB   216 downloadsAttached File  FRST.txt   45.7KB   125 downloads



#4 GeeksOnTime

GeeksOnTime

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 18 November 2014 - 03:55 PM

Here is the other scan

Attached Files



#5 ----------------

----------------

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,095 posts

Posted 21 November 2014 - 05:02 PM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 

#6 GeeksOnTime

GeeksOnTime

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 21 November 2014 - 10:05 PM

Thank you so much for your attention. I was able to reach out elsewhere and get the matter resolved. turns out there is a registry key that is created that contains all the javascript. 

 

Please close the request & accept a small token of my gratitude. 



#7 ----------------

----------------

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,095 posts

Posted 04 December 2014 - 06:46 AM

Thank you! :)


Proud Member of UNITE & TB
 

#8 ----------------

----------------

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,095 posts

Posted 04 December 2014 - 06:46 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.
Proud Member of UNITE & TB
 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users