dllhost.exe *32 problem

[DonR]

I need help in removing dllhost.exe COM SURROGATE instances. I have downloaded Malwarebytes anti-malware but it only seems to block some of the instances and not removing the malware. Also getting a msg saying I do not have permissions to download files, something I have not seen until now. I have attached the addition and FRST text files as instructed. Thanks for your help!

 

[argus]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

CustomCLSID: HKU\S-1-5-21-1777875186-4145512285-2636234668-1000_Classes\CLSID\{3560575F-7C2D-48AE-AB45-DAD430A95EBE}\InprocServer32 -> C:\Program Files\WinZip\adxloader64.dll ()
CustomCLSID: HKU\S-1-5-21-1777875186-4145512285-2636234668-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
HKU\S-1-5-21-1777875186-4145512285-2636234668-1000\...\Run: [msnmsgr] => ��ÀýØÚ����àã�
HKU\S-1-5-21-1777875186-4145512285-2636234668-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
SearchScopes: HKLM - {AAAE3095-7364-4C02-B611-04E58947159C} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {9230cb90-79de-4945-88a4-762244a25bc8} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YKxdm069YYus&ptb=73F96CCD-68D4-4F86-9101-98CC0896F36C&ind=2011123019&ptnrS=YKxdm069YYus&si=bing_time-broad&n=77df4d4b&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKLM-x32 - {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^XP^xdm044^YYA^us&si=COaf58mOpLgCFQ9eQgodlmQAqw&ptb=941C2C53-B195-43B2-9F0A-1735C92BFD48&psa=&ind=2013071000&st=sb&n=77fd0698&searchfor={searchTerms}
SearchScopes: HKLM-x32 - {AAAE3095-7364-4C02-B611-04E58947159C} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3196716
SearchScopes: HKCU - {9230cb90-79de-4945-88a4-762244a25bc8} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YKxdm069YYus&ptb=73F96CCD-68D4-4F86-9101-98CC0896F36C&ind=2011123019&ptnrS=YKxdm069YYus&si=bing_time-broad&n=77df4d4b&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKCU - {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^XP^xdm044^YYA^us&si=COaf58mOpLgCFQ9eQgodlmQAqw&ptb=941C2C53-B195-43B2-9F0A-1735C92BFD48&psa=&ind=2013071000&st=sb&n=77fd0698&searchfor={searchTerms}
SearchScopes: HKCU - {AAAE3095-7364-4C02-B611-04E58947159C} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3196716
C:\a7947d9b10a38cc018d6495c19569d08
HKU\S-1-5-21-1777875186-4145512285-2636234668-1000\...\Run: [PhotoJoy] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4280184 2012-03-08] (Microsoft Corporation)
HKU\S-1-5-21-1777875186-4145512285-2636234668-1000\...\Run: [cdloader] => C:\Program Files (x86)\PhotoJoy\bin\PhotoJoy.exe [1049984 2011-09-30] (IncrediMail, Ltd.)
HKU\S-1-5-21-1777875186-4145512285-2636234668-1000\...\Run: [swg] => C:\Users\Don\AppData\Roaming\mjusbsp\cdloader2.exe [51592 2013-05-06] (magicJack L.P.)
C:\Users\Don\AppData\Roaming\mjusbsp
C:\Program Files (x86)\Windows Live
C:\Program Files (x86)\PhotoJoy
EmptyTemp:

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

 

[DonR]

Thanks argus - attached is the fixlog.txt - looking at task manager do not see any instances of dllhost.exe.

 

[argus]

Removed 12.2 GB temporary data.


• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;

Remove disinfection tools

Create registry backup

Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.


Cheers!