dllhost.exe virus

[JimR]

As stated, a few days ago the system began to run sluggish, internet explorer and steam stopped working. Installed mbam, scanned and removed some stuff but it didn't seem to fix the issue. Except now when I ran IE mbam would come up with a message stating a website request was blocked: from 1e90ff.com port 31.184.192.80 port 53131 and process ....\dllhost.ext there was another similar message also. Wasn't sure if I should start a new thread or just follow the instructions of another one of the recent dllhost.exe solutions. I have attached FRST scan log.

Thanks

 

[argus]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

CloseProcesses:
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HHKU\S-1-5-21-3848090420-445005937-1235240380-1000\...\Run: [Google Update**.d<*>] => "C:\Users\Rochford\AppData\Local\Google\Desktop\Install\{89b28d7a-768f-f009-f0fe-b089ebd25055}\d'x"Ù"\", &h#\. ùû[\{89b28d7a-768f-f009-f0fe-b089ebd25055}\GoogleUpdate.exe" > <===== ATTENTION (Value Name with invalid
KLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-3848090420-445005937-1235240380-1000\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-3848090420-445005937-1235240380-1000\$89b28d7a768ff009f0feb089ebd25055\n. ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-3848090420-445005937-1235240380-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
C:\Users\Rochford\AppData\Local\Google\Desktop\Install\{89b28d7a-768f-f009-f0fe-b089ebd25055}
C:\$Recycle.Bin\S-1-5-21-3848090420-445005937-1235240380-1000\$89b28d7a768ff009f0feb089ebd25055\n.
SearchScopes: HKCU - DefaultScope {49606DC7-976D-4030-A74E-9FB5C842FA68} URL =
SearchScopes: HKCU - {49606DC7-976D-4030-A74E-9FB5C842FA68} URL =
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://mysearch.avg.com/search?cid={606C4C43-911F-4BFC-96A5-62F23FFFB551}&mid=c0a730720f90459694f1f34db1fd99a8-a31aa17a1537661cafb3c1c6f11192ba221c9d0f&lang=en&ds=hk018&pr=sa&d=2013-09-12 15:49:51&v=17.1.2.1&pid=safeguard&sg=0&sap=dsp&q={searchTerms}
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} -  No File
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 07 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 07 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
FF Homepage: hxxp://mysearch.avg.com/?cid={606C4C43-911F-4BFC-96A5-62F23FFFB551}&mid=c0a730720f90459694f1f34db1fd99a8-a31aa17a1537661cafb3c1c6f11192ba221c9d0f&lang=en&ds=hk018&pr=sa&d=2013-09-12 15:49:51&v=18.0.5.292&pid=safeguard&sg=0&sap=hp
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{89b28d7a-768f-f009-f0fe-b089ebd25055}\  \...\???\{89b28d7a-768f-f009-f0fe-b089ebd25055}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Program Files (x86)\Google\Desktop\Install\{89b28d7a-768f-f009-f0fe-b089ebd25055}
S1 zeplegtc; \??\C:\Windows\system32\drivers\zeplegtc.sys [X]
C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
C:\Users\Rochford\AppData\Local\Google\Desktop\Install
C:\Program Files (x86)\Google\Desktop\Install
C:\$Recycle.Bin\S-1-5-21-3848090420-445005937-1235240380-1000\$89b28d7a768ff009f0feb089ebd25055
C:\$Recycle.Bin\S-1-5-18\$89b28d7a768ff009f0feb089ebd25055
C:\ProgramData\nogolniw.pad
C:\Users\Rochford\googleupdate.exe
C:\Users\Rochford\opera.exe
EmptyTemp:
CMD: bitsadmin /reset /allusers

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

 

[JimR]

Saved the code to notepad as fixlist.txt, placed on the desktop, also placed FRST.txt on desktop and the FRST64.exe on desktop. Ran FRST64.exe, clicked fix once. A fixlog.txt was created on the desktop, but 12 hours later the FRST still says "fixing in progress. please wait" Its been about a little over 12 hours, not sure how long the process is supposed to take. Either way I attached the fixlog that was created

 

[argus]

How is the situation now?

 

[JimR]

Should I stop the FRST64 that is still in process?

 

[argus]

Yes of course.
You had a severe infection.

 

[JimR]

IE doesnt load up, just locks up immediately open running. However, the steam application has now been freed up.

 

[JimR]

unless i need a reboot, I haven't done that

 

[argus]

Reboot PC

 

[JimR]

Rebooted and still the same, IE seems to be the only thing affected, not running. Computer performance appears to be the same as it was prior to infection.

 

[argus]

Scan with Combofix:

• Please download ComboFix by sUBs and save it to your Desktop.
  You may read how Combofix works here.
  
• Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
  If you are unsure how to do this please read this or this Instruction.
  
• Run ComboFix. Click on I Agree! & follow the prompts.
  Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
  
• When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
  (typical log location: C:\ComboFix.txt )

 

[JimR]

Ran combofix nsis installer, but I don't see a report logged anywhere, it did create a c: folder that just points back at disk drives and hardware pointed back at the computer. If the installer is supposed to install a combo fix exe I don't see it.

 

[argus]

(typical log location: C:\ComboFix.txt )

 

[argus]

Re-run FRST and cklick scan.

 

[JimR]

So, it appears that the combofix backs up the registry but never actually does a scan..it just stops after backing up the registry. I have no anti-virus or protection programs running.

 

[argus]

Delete ComboFix icon and download new
http://www.bleepingcomputer.com/download/combofix/dl/12/

 

[JimR]

Downloaded again, combofix just runs, extracts data, does a registry backup, creates an output folder C:\32788R22FWJFW and then sits for 10 seconds or so and then just ends.

 

[argus]

OK,

Re-run FRST tool and cklick scan.

 

[JimR]

scanned with FRST tool, log attached

 

[argus]

Re-run FRST.exe as you did before ...

• Download fixlist.txt that you find attached at the bottom of this post and save it same place you
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt and will keep that log in the same folder where FRST.exe is.

> Attach here fixlog.txt logreport.