kj1
New Helpee
Posts: 30
|
Post by kj1 on Dec 20, 2014 20:31:10 GMT -8
The system settled down quite a bit after following your instructions to run the Symantec Removal tool (FixPoweliks64.exe). No more multiple copies of dllhost.exe running in the task manager and internet explorer doesn't seem to be getting bogged down anymore. But, I still see two things that look suspicious (described below).
When I ran the fixlist.txt, I didn't notice any changes in the way the system worked. I still saw the same two things that look suspicious.
Still see these two things that look suspicious: 1) a single copy of dllhost.exe appears briefly in task manager from time to time. I'm not sure if this is ok or not. 2) I also get the following pop-up message from Symantec Endpoint Protection when I reboot (NAV is my virus protection software):
Microsoft Office Click-to-Run has changed since the last time you used it.
Name: Microsoft Office Click-to-Run Application: officeclicktorun.exe
Do you want to allow it to access the network?
Yes No Detail<<
Details: Name: Microsoft Office Click-to-Run Version: 15.0.4667.1002 File Path C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
Connection Origin: local initiated Protocol: TCP Local Address: 192.168.1.10 Local Port: 49570 Remote Name: Remote Address: 23.220.100.153 Remote Port: 80 (HTTP - World Wide Web)
Thanks, kj1
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Dec 20, 2014 20:37:27 GMT -8
Whatever, "When I ran the fixlist.txt, I didn't notice any changes in the way the system worked."
You would have seen the stop of the error message as FRST took the key.
dllhost is used by programs and even Windows
Quads
|
|
kj1
New Helpee
Posts: 30
|
Post by kj1 on Dec 21, 2014 21:58:22 GMT -8
Sounds good.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Dec 22, 2014 15:37:09 GMT -8
File Path C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
Is legit for Office / Office 365
Quads
|
|
kj1
New Helpee
Posts: 30
|
Post by kj1 on Dec 22, 2014 19:47:41 GMT -8
Great. So seems to be all good with PC now.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Dec 22, 2014 20:54:57 GMT -8
On with step 4, Complete system check for any file and cleanup of items and tools used. Special attention to the different settings I have asked for below You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.
Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan
Click the For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on Posted Image to download the ESET Smart Installer. Save it to your desktop. Double click on the icon on your desktop. Check Click the button. Accept any security warnings from your browser. Under scan settings, check DON'T (NO)</font></b> check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
Click Advanced settings and select the following: Scan potentially unwanted applications Scan for potentially unsafe applications Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. Attach the resulting log in your next reply The scanner screen gives me the option of saving the results to a .txt file as part of the options after the scan has finished. Screenshot of part of the finished scan dialog box by ESET showing the options. List found threats and at the bottom of the listings is the options to save the list. Quads
|
|
kj1
New Helpee
Posts: 30
|
Post by kj1 on Dec 23, 2014 0:19:02 GMT -8
I ran into a problem: I checked the "Yes I Accept Terms of Use" box, then clicked the Start button. At this point, an error message popped-up that said "An add-on for this website failed to run". The new window running ESET went blank and would not continue to the Computer scan settings page.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Dec 23, 2014 16:13:12 GMT -8
Use Firefox / Chrome
Quads
|
|
kj1
New Helpee
Posts: 30
|
Post by kj1 on Dec 24, 2014 7:20:53 GMT -8
Here's the ESET results:
C:\knj\aaa_external_drive_backup\knj\keyley\bearshare_5.7.1\BearShare_Turbo_51533.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application C:\knj\winzip185\winzip185.exe a variant of Win32/Systweak.L potentially unwanted application C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSS.exe a variant of Win32/Systweak.L potentially unwanted application C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSHelper.dll a variant of Win32/Systweak.N potentially unwanted application C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSPrivacyProtector.exe a variant of Win32/Systweak.L potentially unwanted application C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSRegClean.exe a variant of Win32/Systweak potentially unwanted application C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSRegistryOptimizer.exe a variant of Win32/Systweak.L potentially unwanted application C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSSystemCleaner.exe a variant of Win32/Systweak.L potentially unwanted application C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application C:\ProgramData\{559F25A3-87D2-4D88-ADC5-DF4C277CDD45}\setup.res a variant of Win32/HiddenStart.A potentially unsafe application C:\Users\All Users\{559F25A3-87D2-4D88-ADC5-DF4C277CDD45}\setup.res a variant of Win32/HiddenStart.A potentially unsafe application C:\Users\Keyley\AppData\Local\Temp\4260\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QKRC6XD9\svy2kqoa2b[1].htm JS/Exploit.Agent.NHV trojan C:\Users\Keyley\Downloads\winzip185.exe a variant of Win32/Systweak.L potentially unwanted application C:\Windows\Installer\233e8a32.msi a variant of Win32/Systweak.L potentially unwanted application
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Dec 24, 2014 11:47:47 GMT -8
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST that is on the desktop When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
Quads
|
|