Hello. Please help. RE: dllhost.exe *32 multiple processes

[Alto]

Hello MalwareTips Staff,

I have encountered the dllhost.exe*32 issue. I did have a ransom:win32/crowti issue and possibly may still have it. Microsoft essentials runs and warns me as well. It is the same issue i believe that all others have with the dllhost.exe*32 (COM Surrogate).

Please help, I deeply appreciate your time and support in this matter. I will check daily and reply as soon as I can. I would really like this issue to be resolved as i cannot do anything on my laptop. Please let me know if there is anything you need me to upload or run.

I have uploaded the Farbar Recovery Scan Tool results.

Thank you very much.

 

[argus]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
CustomCLSID: HKU\S-1-5-21-2842711328-3727693777-432756069-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
Task: {E5A28F36-C64C-43F9-9CA5-FF05331AD3C1} - \AutoKMS No Task File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
HKU\S-1-5-21-2842711328-3727693777-432756069-1000\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-2842711328-3727693777-432756069-1000\...\MountPoints2: {3263cfbc-8142-11e1-9226-c0f8dac6c39d} - "F:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-2842711328-3727693777-432756069-1000\...\MountPoints2: {8fc3ecda-d319-11e0-9c1c-806e6f6e6963} - H:\Autorun.exe
HKU\S-1-5-21-2842711328-3727693777-432756069-1000\...\MountPoints2: {cf6ee64e-1489-11e1-b0d5-c0f8dac6c39d} - F:\LaunchU3.exe -a
HKU\S-1-5-21-2842711328-3727693777-432756069-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM - {31090377-0740-419E-BEFC-A56E50500D5B} URL =
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {31090377-0740-419E-BEFC-A56E50500D5B} URL = http://search.conduit.com/Results.aspx?gd=&ctid=CT3319597&octid=EB_ORIGINAL_CTID&ISID=MFFECE766-0618-4440-A419-FF8DE7DE9CB4&SearchSource=58&CUI=&UM=5&UP=SP56D57CCF-67F4-4A4C-894C-C628ECF9A40E&q={searchTerms}&SSPV=
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
Toolbar: HKLM-x32 - Expat Shield Toolbar - {a060276a-53be-45ec-8ebe-b94b1e803179} - C:\Program Files (x86)\Expat_Shield\prxtbExpa.dll (Conduit Ltd.)
FF SearchEngineOrder.1: Search the web (Babylon)
FF Plugin HKCU: pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Extension: safe save - C:\Users\Alskki\AppData\Roaming\Mozilla\Firefox\Profiles\ekgtcvio.default\Extensions\aiyifwfsv@iecxhwbbdf.net [2013-07-21]
CHR StartupUrls: Default -> "hxxp://speedial.com/?f=7&a=spd_ir_14_25_ch&cd=2XzuyEtN2Y1L1Qzu0FtD0B0FzyyByCyCyB0E0A0EtA0AtAyCtN0D0Tzu0SzytDtDtN1L2XzutBtFtBtCtFyBtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StB0ByEtC0EzzzyyEtGyBzy0BtAtGzz0C0CtBtGyBzy0E0FtGtC0CyCyEtByC0D0AyBzy0AtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyCtCtB0BtCyDzytGtCtCtAyBtGzy0B0BzytGtDyC0EzytGyE0AtDtAyD0F0C0EyDtA0EyB2Q&cr=599121295&ir=", "hxxp://search.conduit.com/?gd=&ctid=CT3319597&octid=EB_ORIGINAL_CTID&ISID=MFFECE766-0618-4440-A419-FF8DE7DE9CB4&SearchSource=55&CUI=&UM=5&UP=SP56D57CCF-67F4-4A4C-894C-C628ECF9A40E&SSPV="
CHR DefaultSearchKeyword: Default -> speedial.com
CHR DefaultSearchURL: Default -> http://speedial.com/results.php?f=4&q={searchTerms}&a=spd_ir_14_25_ch&cd=2XzuyEtN2Y1L1Qzu0FtD0B0FzyyByCyCyB0E0A0EtA0AtAyCtN0D0Tzu0SzytDtDtN1L2XzutBtFtBtCtFyBtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StB0ByEtC0EzzzyyEtGyBzy0BtAtGzz0C0CtBtGyBzy0E0FtGtC0CyCyEtByC0D0AyBzy0AtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyCtCtB0BtCyDzytGtCtCtAyBtGzy0B0BzytGtDyC0EzytGyE0AtDtAyD0F0C0EyDtA0EyB2Q&cr=599121295&ir=
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
C:\Program Files (x86)\Pando Networks
S1 azxebmud; \??\C:\Windows\system32\drivers\azxebmud.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
C:\ProgramData\@system3.att
C:\Users\Alskki\AppData\Roaming\FrameworkUpdate7
C:\ProgramData\@system.temp
C:\Users\Alskki\AppData\Roaming\麽鎒駓覜
C:\Users\Alskki\AppData\Roaming\61e27ac.exe
C:\61e27ac
C:\ProgramData\Windows Genuine Advantage
C:\Users\Alskki\AppData\Roaming\INSTALL_TOR.URL
C:\Users\Alskki\AppData\INSTALL_TOR.URL
C:\Users\Alskki\AppData\Local\INSTALL_TOR.URL
C:\ProgramData\INSTALL_TOR.URL
EmptyTemp:
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.




=============== Next =================




Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

• Click on the Scan button.
• After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Post logfile will also be saved in the C:\AdwCleaner folder.

 

[Alto]

I dled adwCleaner and copied paste the code in an open notepad. Do i run another instance of Farbar recovery scan tool then fix or do I hit fix?

 

[Alto]

It was correct to run fix on the Farbar Recovery Tool, I just re-read some of the commentary left by other moderators.

 

[Alto]

I have attached the fixlog.txt -
For some reason, I'm still getting the "you do not have permission to download content," I just went into settings, internet, advanced, and reset settings & i'm able to DL again. Is there something I can do to fix this?

At the moment, since the bootup, I do no see the dllhose.exe*32 process!!! Is it common to see a rundll32.exe *32 process running? I see a few *32 processes running... bluetoothheadsetProxy.exe *32, TrueSuite.ClientAppLoonExe.exe *32, ISBMgr.exe*32, IAStorIcon.exe *32, sidebar.exe*32, and iexplore.exe*32... should I be concerned? I recall seeing these before, but I never payed much attention but ever since this dllhost.exe*32, I'm looking a bit more for anomalies. I will be running the adwCleaner now.

Thank you very much. I will be donating soon to your purpose.

 

[argus]

These are legitimate processes, do not worry.



• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;

Remove disinfection tools

Create registry backup

Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.


greeting.

 

[Alto]

The DL isn't working for me... when i click the Delfix... it just hangs, then i hit click here for dl and there's no action.

 

[argus]

You can delete DelFix tool right click/delete

AdwCleaner run and click Uninstall

 

[Alto]

Cool. I ran the AdwCleaner and uninstalled it. It didn't catch anything. Another issue arised... when I went to open my Word Document this morning (resume), it was corrupted, there was some encryption and the language was all in coding. I did try to open it, and it came out not original. When I went to download recent resumes I have sent out, I was unable to download it from gmail. I clicked the download button a few times with no results, I didn't even see the download que/ load prompt.

Please let me know what I can do to fix this. I need to send my resume out to a potential employer and i don't want to send it via work.

Thanks,

 

[argus]

Use this page https://www.decryptcryptolocker.com/

You will need to upload one file for analysis, if they can unlock it they will e-mail you the link for a decryption programme

If not you have lost those files

 

[Alto]

Ah, I deleted that file. I do have the file from my outbox. However, I can't download it. I have tried reseting IE and the settings within IE.

 

[argus]

You had poweliks and Cryptowall. Follow these 'instructions

http://kb.eset.com/esetkb/index?page=content&id=SOLN3587

 

[Alto]

Cool. It says that the threat is not found. So, I'm clear of that. I'll probably end up not using IE and probably just use chrome or mozilla because the DL works with that.

Thanks a lot!!! Glad to help with your services!

 

[argus]

I use only Mozilla.