Multiple Instances of dllhost.exe *32

[BLK97F150]

Any assistance would be appreciated... Thanks!

 

[BLK97F150]

Follow up. After running both the FRST and AdwCleaner, the multiple instances of the dllhost.exe *32 seem to have closed, and are not appearing again.

 

[TwinHeadedEagle]

I see some infections on your PC. Please run FRST again, check Addition.txt, press Scan and attach both fresh reports.




Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

• Type rpcss.dll into the Search: field in FRST then click the Search Files button.
• FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
• Please attach it to your reply.

 

[BLK97F150]

The instances of dllhost reappeared this morning.

Attached are the new FRST and Addition logs.

The Search for rpcss.dll seems to be hanging, and does not want to complete. I'll start a new search before I leave for work, and let it run during the day.

Thanks again...

 

[TwinHeadedEagle]

Wait to finish, then attach that report.

 

[BLK97F150]

The search ran until about 2pm. The log is attached.
Thanks!

 

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!

Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Accept the disclaimer and agree if prompted to install Recovery Console.
• Do not take any actions while ComboFix goes through your System - it may cause it to stall!
• This scan may take some time!
• When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.

If you'll encounter any issues with internet connection after running ComboFix, please visit this link.

If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

 

[BLK97F150]

Just a status update. I started the FRST Fix this morning before leaving for work. At some point during the day the computer locked up. It was still powered when I got home, but the screen was dark, and it would not 'wake up'. I ended up having to hit the power button and reboot it. I have started the FRST Fix again, and will post the logs when completed.

Thanks again...

 

[BLK97F150]

After running all night, the FRST Fix still hasn't completed. The top left corner says 'Fixing is in progress, please wait' and the green progress bar occasionally does move.... but extremely slowly.

Attached is the fixlog.txt file that was created up to this point. I'll let it run while I'm at work again today and check for further instructions when I get home tonight.

Thanks...

 

[TwinHeadedEagle]

Stop FRST and proceed with ComboFix instructions.

 

[BLK97F150]

ComboFix log attached.

 

[TwinHeadedEagle]

Okay, we need more steps:

Fix with ComboFix

Let's prepare a Script for ComboFix to mark some things for being deleted.

• Press the
  
  + R on your keyboard at the same time.
• A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
• In the shown window paste in the following script:
  

  Folder::
  c:\programdata\OtyuZecc
  c:\programdata\AbmiHxiwa
  
  File::
  c:\windows\System32\config\systemprofile\AppData\Local\oivtvid.dll
  
  Registry::
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oivtvid]
  
  ClearJavaCache::

• Go to File menu and select Save as.
• Make sure that the Save as type option is set to Text files (*.txt) and the place to save will be your desktop.
• Name the file CFScript and select Save.

Your CFScript.txt file should appear on your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Now drag your CFScript file and drop it onto the
  
  icon.
• This will start ComboFix. Let it run uninterrupted!
• A reboot may be needed during this run. Allow it.
• When finished, it shall produce a log for you at C:\ComboFix.txt and display it.

Please include that log in your next reply.

If you'll encounter any issues with internet connection after running ComboFix, please visit this link.

If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

Do not forget to turn on your previously switched-off protection software!




Run FRST again, press Scan and attach fresh reports.

 

[BLK97F150]

Completed. The ComboFix took forever to finish, it seemed to hang on #48 for a couple hours... but it finally got past it.

Logs attached.
Thanks!

 

[TwinHeadedEagle]

Very good, we need one more fix. Tell me how is your PC now?

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[BLK97F150]

I let the Fix run while I was at work. When I got home it was not responding (the top Windows bar even said '(not responding)'. I forced it closed and ran another FRST. Attached is that log, and the partial log from the Fix.

Its much more responsive, but we haven't been using it. I've asked the wife to keep off it until we are finished.

 

[TwinHeadedEagle]

Okay, let's try another tool:

Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam and select update.
• Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
• Click the Scan tab, choose Threat Scan is checked and click Scan Now.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

 

[BLK97F150]

Log attached.

Also ran another FRST scan (after MWBytes completed and rebooted), and that one is attached too.

Thanks again. Really appreciate the assistance.

 

[TwinHeadedEagle]

How is the situation now?


There is still one line we have to fix. Delete current ComboFix icon, download fresh one and run it again using the same instructions.

 

[BLK97F150]

The wife used it some yesterday. Running much better!

Deleted ComboFix, downloaded a new version and ran it. This one seemed to hang on that same stage 48 for a long time as well, but eventually got past it. Log attached.

Also ran one more FRST scan. That log is attached as well.

 

[TwinHeadedEagle]

Ok, we will run our last step:

Fix with ComboFix

Let's prepare a Script for ComboFix to mark some things for being deleted.

• Press the
  
  + R on your keyboard at the same time.
• A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
• In the shown window paste in the following script:
  

  RegLockDel::
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
  @DACL=(02 0000)
  "oyytgod"="rundll32 \"c:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\oyytgod.dll\",oyytgod"
  .
  [HKEY_USERS\S-1-5-21-16877433-1430952535-4280249599-1000_Classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\*]
  @Allowed: (B) (CreatorAuthority-4)
  
  File::
  c:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\oyytgod.dll

• Go to File menu and select Save as.
• Make sure that the Save as type option is set to Text files (*.txt) and the place to save will be your desktop.
• Name the file CFScript and select Save.

Your CFScript.txt file should appear on your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Now drag your CFScript file and drop it onto the
  
  icon.
• This will start ComboFix. Let it run uninterrupted!
• A reboot may be needed during this run. Allow it.
• When finished, it shall produce a log for you at C:\ComboFix.txt and display it.

Please include that log in your next reply.

If you'll encounter any issues with internet connection after running ComboFix, please visit this link.

If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

Do not forget to turn on your previously switched-off protection software!