dllhost.exe consuming cpu

Hello- I need a fixlist.txt file to start to clean up a machine. Can anyone help me?

Thank you so much!

sorry about those duplicates…thanks for deleting!

Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-3714083529-1526305721-1503150562-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File 2014-10-22 17:16 - 2014-10-22 17:16 - 00000000 ____D () C:\Users\tim\AppData\Local\{C45418D0-4C5B-45D4-AFFB-FCC380B52A95} 2014-11-06 08:11 - 2014-03-31 17:52 - 00870128 _____ () C:\Users\tim\AppData\Roaming\mcs.rma 2014-11-06 08:11 - 2011-12-04 17:53 - 00000004 _____ () C:\Users\tim\AppData\Roaming\6058AB C:\ProgramData\arepo.pad C:\Users\tim\udownload.dat C:\Users\tim\AppData\Roaming\settings.ini CustomCLSID: HKU\S-1-5-21-3714083529-1526305721-1503150562-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and run farbar service scanner

https://dl.dropboxusercontent.com/u/73555776/fssscan.JPG

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Thank you, FRST has been running with the Fixlist.txt for quite a while now, didn’t think it would take so long. FRST64.exe is getting CPU every once in a while and the hard drive light flickers occasionally. I haven’t allowed it on my network(my neighbor’s machine), so I will post back the files you asked for when it finishes. Thanks again!

If it appears to be hanging then close it and post the log so that I can see how far it got :slight_smile:

Once, the program crashed and the second time it seems to get to the last command.

Looks like it hung on the empty temp command, how is the computer behaving now ?

It seems ok, but I don’t have it on the internet. It doesn’t seem to behave badly unless it is on the network and can go out to the internet…what kind of malware is this?

Poweliks was the culprit, there is a small write up on it here https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html

Take it on line and try it out for a while

OK, will do. I know IE 11 is slightly screwed up, so using Chrome now. IE won’t download anything when you right-click and Save As…it just never does anything. PDF’s finally open up OK in IE. Have to use Chrome for a JAVA app on a website for his work, so at least that is working now. IE is really a pain, not sure what to do about those little problems, but at least he has Chrome…I will post again later. Thanks!

To cure that first back up IE bookmarks to your desktop then from control panel reset IE and reset zones to default

Everything seems to be working ok now. I am reading the link you sent and it mentions a Word document sent via email…he doesn’t have any MS Office products or anything else to read a word doc besides Wordpad and I doubt he used that to read a word doc. OR, is that just an example of how this type of thing that can happen, not necessarily how it actually did happen???

Thanks for the help, Essexboy, you bailed me out again!!! And thanks for the IE help, we will give that a try too!

That was just an example of one of the many ways you can get. But, the main point is that there is no actual file on the computer for the AV to detect.

Any further problems or are you ready for a tidy up :slight_smile: