|
Post by jamesm on Oct 26, 2014 3:42:30 GMT -8
Things are definitely better. I've rebooted, ran multiple applications and no massive spawning of dllhost.exe. There is one dllhost.exe that keeps popping up for a moment, it used to stay up all the time.
The command line entry from taskmanger is this: C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-412AF-8929-92BE9D99E8A1}
I have no idea if this is normal.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 26, 2014 9:31:44 GMT -8
Dllhost.exe is used by legit programs for legit purposes the difference with Poweliks the 90% - 100% CPU.
Quads
|
|
|
Post by jamesm on Oct 26, 2014 10:01:22 GMT -8
then so far so good, no hogging processes or long tree's of hdlhost.exe
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Oct 26, 2014 13:45:36 GMT -8
Read carefullyDownload Adwcleaner from here to your desktop and run a scan. You may have to right click adwcleaner.exe and choose "Run as Administrator" from the menu. (Click the Scan button to start the scanning). It will create a log after it is finished scanning. If not (or if it just asks for you to uncheck what you don't wanted deleted), there is a Report button in the middle of the main window; click that and it will make the log file. Once the report file is made, you can leave AdwCleaner running (but don't delete anything yet) or you can close it down (we can always get a fresh scan done before the deletions). ONE SCAN ONLY, PLEASEAttach or paste the log back here for review and further instructions. Thanks.
|
|
|
Post by jamesm on Oct 26, 2014 17:03:25 GMT -8
adwcleaner does not seem to be working. As soon as you press the scan button a window pops up called array display. You get two copy options and exit script. When you select exit script the entire program terminates.
edit: by trying to exit the program and not the script the popup window closed and the scan started to run.
# AdwCleaner v4.002 - Report created 26/10/2014 at 17:57:02 # Updated 27/10/2014 by Xplode # Database : 2014-10-26.6 # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits) # Username : James - JAMES # Running from : C:\Users\James\Desktop\adwcleaner.exe # Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
File Found : C:\Windows\System32\log\iSafeKrnlCall.log Folder Found : C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk Folder Found : C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe Key Found : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk Key Found : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17344
-\\ Mozilla Firefox v32.0.3 (x86 en-US)
-\\ Google Chrome v37.0.2062.124
*************************
AdwCleaner[R0].txt - [295 octets] - [26/10/2014 17:54:58] AdwCleaner[R1].txt - [1452 octets] - [26/10/2014 17:57:02]
########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [1512 octets] ##########
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 27, 2014 15:18:23 GMT -8
a) Click the Scan Button and wait for the scan to finish,. (already done if Adwcleaner is left pending) b) Make sure all of the items under each TAB are to be ticked. Except the entries for (Remove the tick beside the entries)
Folder Found : C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Folder Found : C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Key Found : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk Key Found : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk (All Norton )
You actually only have 2 entries left in the list to removec) Click the Clean Button and Adwcleaner will process all the items ticked / checked and then may ask for the system to be restarted.d) It should create a new log afterwards (with S0 in the name). Here is a Screenshot example Quads
|
|
|
Post by jamesm on Oct 28, 2014 6:28:53 GMT -8
# AdwCleaner v4.002 - Report created 28/10/2014 at 07:16:48 # DB v2014-10-26.6 # Updated 27/10/2014 by Xplode # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits) # Username : James - JAMES # Running from : C:\Users\James\Desktop\adwcleaner.exe # Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
[x] Not Deleted : C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [x] Not Deleted : C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk File Deleted : C:\Windows\System32\log\iSafeKrnlCall.log
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
[x] Not Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [x] Not Deleted : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [x] Not Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [x] Not Deleted : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17344
-\\ Mozilla Firefox v32.0.3 (x86 en-US)
-\\ Google Chrome v37.0.2062.124
*************************
AdwCleaner[R0].txt - [295 octets] - [26/10/2014 17:54:58] AdwCleaner[R1].txt - [1600 octets] - [26/10/2014 17:57:02] AdwCleaner[R2].txt - [1660 octets] - [28/10/2014 07:10:55] AdwCleaner[S0].txt - [1600 octets] - [28/10/2014 07:16:48]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1660 octets] ##########
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 28, 2014 16:26:32 GMT -8
Don't click on any pop up for the likes of Flash, Java, Adobe or fake browser landings, it appears that may be the way systems are getting infected or re infected On with step 4, Complete system check for any file and cleanup of items and tools used. Special attention to the different settings I have asked for below You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.
Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan
Click the For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on Posted Image to download the ESET Smart Installer. Save it to your desktop. Double click on the icon on your desktop. Check Click the button. Accept any security warnings from your browser. Under scan settings, check DON'T (NO)</font></b> check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
Click Advanced settings and select the following: Scan potentially unwanted applications Scan for potentially unsafe applications Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. Attach the resulting log in your next reply The scanner screen gives me the option of saving the results to a .txt file as part of the options after the scan has finished. Screenshot of part of the finished scan dialog box by ESET showing the options. List found threats and at the bottom of the listings is the options to save the list. Quads
|
|
|
Post by jamesm on Oct 29, 2014 6:51:17 GMT -8
C:\ProgramData\IObit\ASCDownloader\ASCSetup.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application C:\UBCD4Win\plugin\CDBurning\ExpressBurn\expressburn.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe Win32/PrcView potentially unsafe application C:\UBCD4Win\plugin\System-Info\Information\SysInfo\sysinfo.7z a variant of Win32/RemoteAdmin.RemoteExec.AA potentially unsafe application C:\Users\All Users\IObit\ASCDownloader\ASCSetup.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application C:\Users\James\Desktop\FS Stuff\FS_Server\Tools\DDSViewerSetup.exe Win32/Toolbar.Babylon potentially unwanted application C:\Users\James\Downloads\Core-Temp-setup.exe a variant of Win32/Complitly.A potentially unwanted application C:\Users\James\Downloads\CrystalDiskInfo5_6_2-en.exe Win32/OpenCandy potentially unsafe application C:\Users\James\Downloads\DriverSweeper_3.2.0.exe Win32/OpenCandy potentially unsafe application C:\Users\James\Downloads\Driver_Fusion_1.5.0.exe Win32/OpenCandy potentially unsafe application C:\Users\James\Downloads\Driver_Fusion_19.exe Win32/OpenCandy potentially unsafe application C:\Users\James\Downloads\epm.exe Win32/OpenCandy potentially unsafe application C:\Users\James\Downloads\KeyFinderInstaller.exe Win32/OpenCandy potentially unsafe application C:\Users\James\Downloads\MediaInfo_GUI_0.7.51_Windows_x64.exe Win32/OpenCandy potentially unsafe application C:\Users\James\Downloads\smart-defrag-setup.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application C:\Users\James\Downloads\tb_free.exe Win32/OpenCandy potentially unsafe application
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 29, 2014 23:22:37 GMT -8
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST that is on the desktop When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
Quads
|
|