Issue with dllhost.exe*32 Processes & Powelik, adclicker

Hello. I am a new member. I found your site from a google search on a problem I am having with adclicker and poweliks and apparently related multiple dllhost.exe*32 processes running on my machine. My problem appears nearly identical to that described by KINGOKRAP in his thread titled "Multiple 'dllhost.exe*32' process showing up in task manager". KESTREL13! appears to have solved his problem. Being a new member, I was unsure whether to create a new thread or attach my problem to KINGOKRAP's thread. Started a new thread but please direct me if I should do
otherwise.

A quick rundown on my system:
o Computer/OS: Dell 8700, Windows 7 Professional, 64 bit, 8Gb memory.
o Security: Norton Internet Security (firewall, virus protection running live)
o Disk Emulation: None
o Display of hidden, system files, folders turned on.

Steps taken so far to try to solve the problem:
o Downloaded and run "SpyHunter" and "Spybot". Neither solved the problem.
o Delete all dllhost.exe*32 processes when they appear in TaskManager. Processes always eventually reappear and swamp my network.
o Usually on a restart, Norton notifies me of blocking Trojan/Powelik and/or Trojan/adclicker

Preliminary Steps from "Read Me First" Thread:
o Downloaded CCleaner and ran "run cleaner"
o Ran "Windows OS Specific Cleaning Instructions for Win7"
o Attached logs as directed.

NOTE: Upon execution, TDSSKiller gave the warning "Can't initialize log". Another window opened showing:
"Reboot is required. Extended monitoring driver is required for more advanced threats detection. Press 'Reboot Now' button to install driver & reboot, or 'continue' to run the program in standard mode."
From the posted instructions I was not sure what to do so I pressed the continue button for standard mode. Then got the message "Can't load driver". I hit OK. Results showed no threats and the "report" log was empty, thus no log for TDSSKiller attached. Please advise if I need to rerun TDSSKiller with different procedure.

Though I see some similarities between my problem and those of "kingokrap", I have done nothing to repair the problem pending instructions from one of you experts. Thanks in advance for your help.

Ken

 

Kestrel13!

Followed all instructions and here are results.

o Initial exec of RogueKiller:
Found and deleted 4 of 5 items listed. One item below from your list was not in the new RK scan list:
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgkknd (System32\drivers\defba.sys) -> Found

o Executed each of the remaining items and generated logs as required. Each log is attached.

Note log from final exec of RogueKiller contains "Poweliks" registry entry.

Did not reboot system, still seeing dllhost.exe*32 com processes starting.

Will reboot and report back status after reboot.


Ken

 

Kestrel13!

Followup from previous my response. Rebooted system. Task manager still shows dllhost.exe*32 processes starting.

No notices from Norton yet re Poweliks or adclicker but that is not unusual. These notices come sporadically.

One other thing that I have noticed that may or may not be related. I have noticed that sometimes I get a message that "security settings will not allow downloading a file". When I check my Internet Explorer Security Settings for the Internet, I see that they have been reset. I then reset them to the default. At some time later, during the same session they get reset again. This is a new phenomena, though I am not sure it coincides with the dllhots.exe*32/Poweliks/adclicker problem. Just for you info.

I will await your further instructions.

Thanks,

Ken

 

Kestrel13!,

Yes, I did delete the temp files using Cleano 0.61 as you instructed.

Reran RK and deleted the Powelik registry entry. I immediately received a warning from Norton that it had blocked attacks by Poweliks and adclicker. Rebooted system. After logging in, again received Norton warnings about Poweliks and adclicker. dclhost.exe*32 processes also started again.

Attached RogueKiller logs before/after deletion.

Note Poweliks entry in registry has reappeared.

One other comment. When RK was executed it opened at window in IE with info regarding RK and Poweliks. Comments from users with similar problems to mine are interesting. I have taken no action from that page, just for your info.


Ken

 

Reran RK with Norton Virus/malware turned off. Deleted poweliks entry. Rebooted. Reran RK. poweliks reappeared as did dllhosts*32 processes.

Logs attached.

I am not all that familiar with manual deletion of registry entries. If you think that is what I should do, please guide me.

Thanks,

Ken

 

All procedures that I have executed up to this point have been under that login account.

One other note. All procedures conducted with normal boot from windows, not in safe mode. I assume that is what I should have been doing.

Ken

 

Kestrel13!,

Follow-up info.

I went back and looked at the RogueKiller web page about Poweliks: http://www.adlice.com/poweliks-removal-with-roguekiller/

I noticed the notes near the top of the page:

If you have difficulties to remove that threat, try this:
•1- Do a scan with RogueKiller. Do not close the window.
•2- Kill all dllhost.exe processes (for example with Process Explorer, kill tree
•3- Do the removal with RogueKiller
•4- Reboot immediately

I tried this and it may have worked. Note that I rebooted without first closing RogueKiller. After the reboot, RK did not show the Poweliks entry in the registry. I rebooted again, still no Poweliks entry in the registry. So far the dllhost.exe*32 processes are not starting. This has held so far for about 45 minutes. I will continue to monitor and get back to you in a few hours if it reappears.

Thanks,

Ken

 

Kestrel13!,

So far so good. Still no entry for Poweliks in registry and dllhost.exe*32 processes are not starting after about 4.5 hours.

Just reran RogueKiller and attached log.

One thing I have noticed on the last several exec of RK is that during the initialization process it kills two processes. You will see these at the top of the log. This now happens every time I executive RK. This does not appear to have been happening in the earlier scans. Something to worry about?

Is it time now to go back and reset some of the things that may have been changed at the beginning of this process? For example, the UAC is still disabled. Complete Items 6 & 7? (at http://forums.majorgeeks.com/showthread.php?t=139681) or other procedures you can direct me to?

Thanks,

Ken

 

Kestrel13!,

Downloaded and executed GMER as directed. Log attached. One note about the boxes checked on right side. The "quick Scan" only box was checked as default and that is what I used.

Ken

 

Kestrel13!,

Ran Norton, only found cookies and it removed them. However, I am noticing other strange activity.

I am seeing a lot of unexplained network activity again although there are no dllhost.exe*32 processes running. I noticed quite a few svhost.exe processes running which I know can be normal. I watched them for a while and noticed that a couple of these processes, both identified as svhost.exe*32 were apparently doing a lot of network traffic. I decided to run RogueKiller to see what it would do. As I indicated in an earlier post, it killed 4 processes, 2 of which look to have been the two svhost.exe*32 processes. The network traffic immediately stopped. However, within a few minutes they had restarted and the network traffic resumed. I ran RogueKiller again, it again killed the processes. I did not save the reports for either of these scans but I reran RK again (once again it killed the svhost.exe*32 process, this time there was only one running). The report from the last RK run is attached.

I believe the killed process "C:\Windows\SysWow64\svchost.exe" is probably the one identified in the Task Manager as svhost.exe*32.

Suggestions?

Ken

 

Kestrel13!,

I went thru your instructions down to the execution of e:\frst64.exe. I then realized that I did not know where frst64.exe came from. My understanding of your notes is that it should be on my flash drive. How do I get it there?

Sorry if I missed something, just set me straight.

Thanks,

Ken

 

Kestrel13!,

More info. Just for fun :-D I decided to run a SpyHunter scan. It found quite a few cookies but also found two scheduled tasks which it could not identify as either good or bad. It suggested disabling them if I did not know where they came from. I have no idea where they came from so I decided to disable both of them and see what happens. That was about 45 min. ago. Did a restart also. So far the svhost processes that were swamping my network have not started. I will watch and wait. Post back tomorrow with status.

For your info the paths to the two scheduled tasks are:
c:\Windows\system32\imquo.dll
c:\Windows\system32\zhbjexp.dll

Recognize either of these?


Ken

 

Since disabling the 2 scheduled tasks, still no sign of the excessive network traffic from the svhost processes. I have also not seen either of them starting. I will hold off on running the frst64.exe unless you think I should go ahead anyway. So far it looks like disabling the scheduled tasks found by SpyHunter fixed the problem. I would still like to know if anyone can identify the two dll's I listed in last post so that I might figure out where they came from. Google search has not found anything.

Info from the task scheduler: The "Action" to start the two tasks are shown as
C:\Windows\system32\regsvr32.exe/s "C:\Windows\system32\zhbjexp.dll"
C:\Windows\system32\regsvr32.exe/s "C:\Windows\system32\imquo.dll"

When I look at the directory (c:\Windows\system32\) from Windows Explorer I am not able to see either of the dll's (imquo or zhbjexp). Anyone have an explanation for this? (Hidden files and folders is turned "on").

Thanks,

Ken

 

Followed link posted by dr.moriarty to http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ for download of frst64.exe.

When I tried to download it I got a security message that the file was dangerous but I went ahead with the download. Norton then sent me a message that the file was dangerous and deleted it from my system.

Got to admit that I am gunshy these days. Just want to make sure that I am downloading the correct file and that it is safe. What should I do?

Ken

 

Procedure for frst64 completed. Log file attached. Note that I have change all of my system's user ID's to generic forms (UID1, UID2, ADMIN) . Uniqueness maintained.

Ken

 

Reran frst64.exe as instructed with fixlist.txt on flash drive. Resulting Fixlog.txt attached. Note as with previous log, user ID modified to generic UID1. Otherwise unchanged. I also noticed that the fixlist.txt you sent was removed from the flash drive after execution of frst64. Assume this is okay.

One other comment that might be relevant. For a while now I have been noticing pop-ups occurring occasionally within both IE and Firefox. I have not been paying much attention to them until yesterday. Each one occurs when I mouse over something on the screen like highlighted text such as in this forum. Each pop-up has "Ad Choices" shown in the upper right hand corner of the ad. I have looked in my Programs list in the control panel as well as the add-ons in IE/Firefox and found nothing. My onboard scans (Norton, Spyhunter, or SpyBot) have shown anything that is clearly related to these ad's. Do you think this is related to my other problems and how do I get rid of them?

Otherwise, the dllhost.exe*32 and svhost processes swamping my network still seam to be at bay.

Thanks,

Ken

 

Kestrel13!,

I think I have cleaned up everything as you directed. If I run across anything strange that might be related, I will let you know.

So far my system seems to running fine, none of the dllhost or svhost issues for a couple of days. No warnings from Norton about Poweliks or adclicker either.

Thanks so much for your time and effort. I certainly appreciate it.

Ken

 

I've been away for a few days but my system still seems to be running okay. So far none of the symptoms I experienced have reappeared, including no reports from Norton re. Poweliks or adclicker.

Do you know if any of the major "live" virus software packages can catch this stuff? They have become such a problem, I would think the big boys like Norton would be getting a lot of heat to catch them before they get into a system.

Thanks for checking.

Ken

 

Thanks for your continued interest. Since everything seems to be running fine, I will hold off on any further procedures. However, I will certainly let you know if anything new crops up.

For your info, I was curious if Norton had anything going on this stuff and found the following page:

http://www.symantec.com/security_response/writeup.jsp?docid=2014-080408-5614-99&tabid=3

The interesting part of the manual procedure is the stopping of the dllhost.exe processes altogether while removing the virus. This makes sense because the dllhost.exe*32 processes appeared to replace the virus whenever it was deleted, making it very hard to remove completely. This is a tad above my technical expertise but it may make perfect sense to you. I have not done anything with their procedure as yet but I might give it a try just to see if it finds anything at all.

Thanks again for all of your help and attention.

Ken