Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
dllhost.exe*32 com surrogate powelik trojan
Message
<blockquote data-quote="argus" data-source="post: 291500" data-attributes="member: 21493"><p><strong>1.</strong> Open notepad and copy/paste the text present inside the code box below.</p><p><em>To do this highlight the contents of the box and right click on it. Paste this into the open notepad. </em></p><p><span style="color: red"><strong>NOTICE:</strong> This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system</span></p><p>[code]</p><p>Start</p><p>CustomCLSID: HKU\S-1-5-21-2709539357-2449112603-2696348575-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?</p><p>Task: {49B45FB8-2B18-4A6C-B73E-AFF1879B1A4F} - System32\Tasks\Desk 365 RunAsStdUser => C:\Program Files (x86)\Desk 365\desk365.exe <==== ATTENTION</p><p>Task: {91D5EE35-7D9B-4536-A5C6-D54A888A1664} - System32\Tasks\0 => Iexplore.exe <==== ATTENTION</p><p>Task: {E6755094-A669-457F-A971-562711F2FCC6} - System32\Tasks\4329 => Wscript.exe C:\Users\JJ\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION</p><p>HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1</p><p>HKLM\...\Policies\Explorer: [HideSCAHealth] 1</p><p>HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Run: [iLivid] => "C:\Users\JJ\AppData\Local\iLivid\iLivid.exe" -autorun</p><p>C:\Users\JJ\AppData\Local\iLivid</p><p>HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [TaskbarNoNotification] 1</p><p>HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [HideSCAHealth] 1</p><p>HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [NoFolderOptions] 0</p><p>HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [HideClock] 0</p><p>HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [NoFind] 0</p><p>HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [NoViewContextMenu] 0</p><p>HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\MountPoints2: D - D:\Special_Offers_from_SPHE_PC.exe</p><p>HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!</p><p>AppInit_DLLs-x32: c:\progra~2\websea~1\sprote~1.dll => "c:\progra~2\websea~1\sprote~1.dll" File Not Found</p><p>CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION</p><p>URLSearchHook: HKCU - YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File</p><p>SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&sr=0&q={searchTerms}</p><p>SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&sr=0&q={searchTerms}</p><p>SearchScopes: HKLM - {B9549983-E98B-4BBE-8524-F21403760D21} URL =</p><p>SearchScopes: HKCU - {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} URL = http://www2.mystart.com/results.php?pr=vmn&id=yolobartb&v=1_0&ent=ch&q={searchTerms}</p><p>SearchScopes: HKCU - {3E76C74A-C28D-4B12-9C48-2865A4B5620C} URL = http://us.yhs4.search.yahoo.com/yhs/search?hspart=oc&hsimp=yhs-001&p={searchTerms}&type=tb_ie_chr</p><p>SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&sr=0&q={searchTerms}</p><p>SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =</p><p>SearchScopes: HKCU - {B9549983-E98B-4BBE-8524-F21403760D21} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3316751&CUI=UN27598403892731187&UM=2&UP=SPF2D5698C-EFDB-47CF-9569-2B050B74D170&SSPV=</p><p>FF HKLM-x32\...\Firefox\Extensions: [ya3t@baxjtjd.co.uk] - C:\Users\JJ\AppData\Roaming\Mozilla\Firefox\Profiles\at0valdt.default\extensions\ya3t@baxjtjd.co.uk</p><p>FF HKLM-x32\...\Firefox\Extensions: [ofblsrj@h-jljp.net] - C:\Users\JJ\AppData\Roaming\Mozilla\Firefox\Profiles\at0valdt.default\extensions\ofblsrj@h-jljp.net</p><p>FF HKLM-x32\...\Firefox\Extensions: [fxp4n0do@xco-o.org] - C:\Users\JJ\AppData\Roaming\Mozilla\Firefox\Profiles\at0valdt.default\extensions\fxp4n0do@xco-o.org</p><p>FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]</p><p>CHR HKLM-x32\...\Chrome\Extension: [fbnmfdkmgihfljaegoejdjonfdpkdlci] - C:\Users\JJ\AppData\Local\CRE\fbnmfdkmgihfljaegoejdjonfdpkdlci.crx [2013-09-30]</p><p>C:\Users\JJ\AppData\Local\CRE\fbnmfdkmgihfljaegoejdjonfdpkdlci.crx</p><p>CHR HKCU\...\Chrome\Extension: [fbnmfdkmgihfljaegoejdjonfdpkdlci] - C:\Users\JJ\AppData\Local\CRE\fbnmfdkmgihfljaegoejdjonfdpkdlci.crx [2013-09-30]</p><p>CHR Extension: (No Name) - C:\Users\JJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbnmfdkmgihfljaegoejdjonfdpkdlci [2013-12-07]</p><p>C:\Users\JJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbnmfdkmgihfljaegoejdjonfdpkdlci</p><p>C:\ProgramData\Conduit</p><p>EmptyTemp:</p><p>End</p><p>[/code]<strong>2.</strong> Save notepad as <u><strong>fixlist.txt</strong></u> to your Desktop.</p><p><em><u><strong><span style="color: #008000">NOTE:</span></strong></u> => It's important that both files, <strong>FRST</strong> and <strong>fixlist.txt</strong> are in the same location or the fix will not work.</em></p><p><strong>3.</strong> Run <strong><span style="color: #0000FF">FRST/FRST64</span></strong> and press the <strong>Fix</strong> button just once and wait.</p><p><em>If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.</em></p><p>The tool will make a log on the Desktop (<strong>Fixlog.txt</strong>). Please attach it to your reply.</p><p><em><span style="color: #008000"><strong>Note: If the tool warned you about the outdated version please download and run the updated version.</strong></span></em></p><p></p><p></p><p></p><p>================== Next ===================</p><p></p><p></p><p></p><p></p><p>Please download <strong><a href="http://www.bleepingcomputer.com/download/adwcleaner/" target="_blank"><span style="color: blue">AdwCleaner</span></a></strong> by Xplode and save to your Desktop.</p><p></p><p>Double click on <strong>AdwCleaner.exe</strong> to run the tool.</p><ul> <li data-xf-list-type="ul">Click on the <strong>Scan</strong> button.</li> <li data-xf-list-type="ul">After the scan has finished click on the <strong>Clean</strong> button.</li> </ul><p></p><p>Press <strong>OK</strong> when asked to close all programs and follow the onscreen prompts.</p><p>Press <strong>OK</strong> again to allow AdwCleaner to restart the computer and complete the removal process.</p><ul> <li data-xf-list-type="ul">After rebooting, a logfile report (<strong>AdwCleaner[S0].txt</strong>) will open automatically.</li> <li data-xf-list-type="ul">Post logfile will also be saved in the C:\AdwCleaner folder.</li> </ul></blockquote><p></p>
[QUOTE="argus, post: 291500, member: 21493"] [b]1.[/b] Open notepad and copy/paste the text present inside the code box below. [i]To do this highlight the contents of the box and right click on it. Paste this into the open notepad. [/i] [color=red][b]NOTICE:[/b] This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system[/color] [code] Start CustomCLSID: HKU\S-1-5-21-2709539357-2449112603-2696348575-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? Task: {49B45FB8-2B18-4A6C-B73E-AFF1879B1A4F} - System32\Tasks\Desk 365 RunAsStdUser => C:\Program Files (x86)\Desk 365\desk365.exe <==== ATTENTION Task: {91D5EE35-7D9B-4536-A5C6-D54A888A1664} - System32\Tasks\0 => Iexplore.exe <==== ATTENTION Task: {E6755094-A669-457F-A971-562711F2FCC6} - System32\Tasks\4329 => Wscript.exe C:\Users\JJ\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1 HKLM\...\Policies\Explorer: [HideSCAHealth] 1 HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Run: [iLivid] => "C:\Users\JJ\AppData\Local\iLivid\iLivid.exe" -autorun C:\Users\JJ\AppData\Local\iLivid HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [TaskbarNoNotification] 1 HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [HideSCAHealth] 1 HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [NoFolderOptions] 0 HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [HideClock] 0 HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [NoFind] 0 HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\Policies\Explorer: [NoViewContextMenu] 0 HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...\MountPoints2: D - D:\Special_Offers_from_SPHE_PC.exe HKU\S-1-5-21-2709539357-2449112603-2696348575-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! AppInit_DLLs-x32: c:\progra~2\websea~1\sprote~1.dll => "c:\progra~2\websea~1\sprote~1.dll" File Not Found CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION URLSearchHook: HKCU - YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&sr=0&q={searchTerms} SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&sr=0&q={searchTerms} SearchScopes: HKLM - {B9549983-E98B-4BBE-8524-F21403760D21} URL = SearchScopes: HKCU - {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} URL = http://www2.mystart.com/results.php?pr=vmn&id=yolobartb&v=1_0&ent=ch&q={searchTerms} SearchScopes: HKCU - {3E76C74A-C28D-4B12-9C48-2865A4B5620C} URL = http://us.yhs4.search.yahoo.com/yhs/search?hspart=oc&hsimp=yhs-001&p={searchTerms}&type=tb_ie_chr SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2405} URL = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=405&sr=0&q={searchTerms} SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = SearchScopes: HKCU - {B9549983-E98B-4BBE-8524-F21403760D21} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3316751&CUI=UN27598403892731187&UM=2&UP=SPF2D5698C-EFDB-47CF-9569-2B050B74D170&SSPV= FF HKLM-x32\...\Firefox\Extensions: [ya3t@baxjtjd.co.uk] - C:\Users\JJ\AppData\Roaming\Mozilla\Firefox\Profiles\at0valdt.default\extensions\ya3t@baxjtjd.co.uk FF HKLM-x32\...\Firefox\Extensions: [ofblsrj@h-jljp.net] - C:\Users\JJ\AppData\Roaming\Mozilla\Firefox\Profiles\at0valdt.default\extensions\ofblsrj@h-jljp.net FF HKLM-x32\...\Firefox\Extensions: [fxp4n0do@xco-o.org] - C:\Users\JJ\AppData\Roaming\Mozilla\Firefox\Profiles\at0valdt.default\extensions\fxp4n0do@xco-o.org FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found] CHR HKLM-x32\...\Chrome\Extension: [fbnmfdkmgihfljaegoejdjonfdpkdlci] - C:\Users\JJ\AppData\Local\CRE\fbnmfdkmgihfljaegoejdjonfdpkdlci.crx [2013-09-30] C:\Users\JJ\AppData\Local\CRE\fbnmfdkmgihfljaegoejdjonfdpkdlci.crx CHR HKCU\...\Chrome\Extension: [fbnmfdkmgihfljaegoejdjonfdpkdlci] - C:\Users\JJ\AppData\Local\CRE\fbnmfdkmgihfljaegoejdjonfdpkdlci.crx [2013-09-30] CHR Extension: (No Name) - C:\Users\JJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbnmfdkmgihfljaegoejdjonfdpkdlci [2013-12-07] C:\Users\JJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbnmfdkmgihfljaegoejdjonfdpkdlci C:\ProgramData\Conduit EmptyTemp: End [/code][b]2.[/b] Save notepad as [u][b]fixlist.txt[/b][/u] to your Desktop. [i][u][b][color=#008000]NOTE:[/color][/b][/u] => It's important that both files, [b]FRST[/b] and [b]fixlist.txt[/b] are in the same location or the fix will not work.[/i] [b]3.[/b] Run [b][color=#0000FF]FRST/FRST64[/color][/b] and press the [b]Fix[/b] button just once and wait. [i]If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.[/i] The tool will make a log on the Desktop ([b]Fixlog.txt[/b]). Please attach it to your reply. [i][color=#008000][b]Note: If the tool warned you about the outdated version please download and run the updated version.[/b][/color][/i] ================== Next =================== Please download [b][url=http://www.bleepingcomputer.com/download/adwcleaner/][color=blue]AdwCleaner[/color][/url][/b] by Xplode and save to your Desktop. Double click on [b]AdwCleaner.exe[/b] to run the tool. [list][*]Click on the [b]Scan[/b] button. [*]After the scan has finished click on the [b]Clean[/b] button.[/list] Press [b]OK[/b] when asked to close all programs and follow the onscreen prompts. Press [b]OK[/b] again to allow AdwCleaner to restart the computer and complete the removal process. [list][*]After rebooting, a logfile report ([b]AdwCleaner[S0].txt[/b]) will open automatically. [*]Post logfile will also be saved in the C:\AdwCleaner folder.[/list] [/QUOTE]
Insert quotes…
Verification
Post reply
Top