dllhost.exe*32 com surrogate powelik trojan
- Thread starter super_jj
- Start date
Hi,
Please download Farbar Recovery Scan Tool (
) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
Please download Farbar Recovery Scan Tool (
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
================== Next ===================
Please download AdwCleaner by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Code:
Start
CustomCLSID: HKU\S-1-5-21-2709539357-2449112603-2696348575-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
Task: {49B45FB8-2B18-4A6C-B73E-AFF1879B1A4F} - System32\Tasks\Desk 365 RunAsStdUser => C:\Program Files (x86)\Desk 365\desk365.exe <==== ATTENTION
Task: {91D5EE35-7D9B-4536-A5C6-D54A888A1664} - System32\Tasks\0 => Iexplore.exe <==== ATTENTION
Task: {E6755094-A669-457F-A971-562711F2FCC6} - System32\Tasks\4329 => Wscript.exe C:\Users\JJ\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Run: [iLivid] => "C:\Users\JJ\AppData\Local\iLivid\iLivid.exe" -autorun
C:\Users\JJ\AppData\Local\iLivid
HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [HideClock] 0
HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [NoFind] 0
HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\MountPoints2: D - D:\Special_Offers_from_SPHE_PC.exe
HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
AppInit_DLLs-x32: c:\progra~2\websea~1\sprote~1.dll => "c:\progra~2\websea~1\sprote~1.dll" File Not Found
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
URLSearchHook: HKCU - YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&sr=0&q={searchTerms}
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&sr=0&q={searchTerms}
SearchScopes: HKLM - {B9549983-E98B-4BBE-8524-F21403760D21} URL =
SearchScopes: HKCU - {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} URL = http://www2.mystart.com/results.php?pr=vmn&id=yolobartb&v=1_0&ent=ch&q={searchTerms}
SearchScopes: HKCU - {3E76C74A-C28D-4B12-9C48-2865A4B5620C} URL = http://us.yhs4.search.yahoo.com/yhs/search?hspart=oc&hsimp=yhs-001&p={searchTerms}&type=tb_ie_chr
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&sr=0&q={searchTerms}
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
SearchScopes: HKCU - {B9549983-E98B-4BBE-8524-F21403760D21} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3316751&CUI=UN27598403892731187&UM=2&UP=SPF2D5698C-EFDB-47CF-9569-2B050B74D170&SSPV=
FF HKLM-x32\...\Firefox\Extensions: [ya3t@baxjtjd.co.uk] - C:\Users\JJ\AppData\Roaming\Mozilla\Firefox\Profiles\at0valdt.default\extensions\ya3t@baxjtjd.co.uk
FF HKLM-x32\...\Firefox\Extensions: [ofblsrj@h-jljp.net] - C:\Users\JJ\AppData\Roaming\Mozilla\Firefox\Profiles\at0valdt.default\extensions\ofblsrj@h-jljp.net
FF HKLM-x32\...\Firefox\Extensions: [fxp4n0do@xco-o.org] - C:\Users\JJ\AppData\Roaming\Mozilla\Firefox\Profiles\at0valdt.default\extensions\fxp4n0do@xco-o.org
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [fbnmfdkmgihfljaegoejdjonfdpkdlci] - C:\Users\JJ\AppData\Local\CRE\fbnmfdkmgihfljaegoejdjonfdpkdlci.crx [2013-09-30]
C:\Users\JJ\AppData\Local\CRE\fbnmfdkmgihfljaegoejdjonfdpkdlci.crx
CHR HKCU\...\Chrome\Extension: [fbnmfdkmgihfljaegoejdjonfdpkdlci] - C:\Users\JJ\AppData\Local\CRE\fbnmfdkmgihfljaegoejdjonfdpkdlci.crx [2013-09-30]
CHR Extension: (No Name) - C:\Users\JJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbnmfdkmgihfljaegoejdjonfdpkdlci [2013-12-07]
C:\Users\JJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbnmfdkmgihfljaegoejdjonfdpkdlci
C:\ProgramData\Conduit
EmptyTemp:
EndNOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
================== Next ===================
Please download AdwCleaner by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool.
- Click on the Scan button.
- After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
- After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
- Post logfile will also be saved in the C:\AdwCleaner folder.
It seems to be running better. I haven't seen the dllhost.exe*32 show up again under processes. There are a few other .exe*32 but I'm not sure if those are supposed to be there. There is one for Norton, 2 for internet explorer some different ones for HP, and one called tea timer. It is definitely running quicker now and I haven't' seen the failed powershell message at start up and my internet explorer settings seem to be staying how I want them.
It is legitimate.
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
You may also like...
-
Korean malware removal tool I have never heard about before- Started by Parkinsond
- Replies: 19
-
wa-whatsapp(dot)com Is it Phishing/Scam?- Started by RRlight
- Replies: 17
-
Google "Results about you": Has any one used? How were your experiences?- Started by Wrecker4923
- Replies: 3
-
Emojis in PureRAT’s Code Point to AI-Generated Malware Campaign- Started by Brownie2019
- Replies: 11
-
Kaspersky detected trojan win 32 generic. Should I full format my pc?- Started by gfgtkitkat34
- Replies: 21