URL:mal in system32 dllhost.exe

system · March 19, 2015, 2:23am

Hi! I’m new here and not all all computer-savvy, though I’ve successfully gotten rid of several infections in the past following complex instructions. Now I’m stuck with what I understand to be new Aleurion malware that I’ve been able to tame but not eliminate entirely. This is the Avast message I get every couple of hours:

Infection: URL: Mal
Process: D:\Windows\System32\dllhost.exe

A member by the name of essexboy successfully fixed this problem for someone else a few months ago, but his directions were for a different system. If he or someone else could guide me through a fix (and has the patience to explain where I find which function on my laptop), this lady in distress will be highly obliged.

Eddy · March 19, 2015, 3:05am

https://forum.avast.com/index.php?topic=53253.0

system · March 19, 2015, 3:56am

Thanks. Ran two of the three recommended cleaners before I came here, which helped SOME. Will run everything again and post the logs tomorrow.

system · March 19, 2015, 4:52pm

OK, ran the Malwarebytes scan. The screenshots in the instructions weren’t showing up for me so I could not update the program after downloading it, but all the rest went well. Here’s the log.

system · March 19, 2015, 4:58pm

Here are the Farbar logs.

system · March 19, 2015, 5:03pm

The aswMBR log.

aswMBR version 1.0.1.2290 Copyright(c) 2014 AVAST Software
Run date: 2015-03-19 13:00:27

13:00:27.500 OS Version: Windows 5.1.2600 Service Pack 3
13:00:27.500 Number of processors: 2 586 0xE08
13:00:27.500 ComputerName: VLADA-NOTE UserName: Vlada
13:00:31.593 Initialize success
13:00:31.593 VM: initialized successfully
13:00:31.593 VM: Intel CPU BiosDisabled
13:00:37.859 AVAST engine defs: 15031900
13:00:58.046 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
13:00:58.046 Disk 0 Vendor: Hitachi_HTS727550A9E364 JF3OA0D0 Size: 476940MB BusType: 3
13:00:58.218 Disk 0 MBR read successfully
13:00:58.218 Disk 0 MBR scan
13:00:58.234 Disk 0 Windows XP default MBR code
13:00:58.234 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 101025 MB offset 63
13:00:58.234 Disk 0 unknown boot code
13:00:58.265 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 368749 MB offset 206901135
13:00:58.328 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 2055 MB offset 972559038
13:00:58.328 Disk 0 statistics 285/0/0 @ 0.55 MB/s
13:00:58.328 Scan finished successfully
13:01:31.625 Disk 0 MBR has been saved successfully to “D:\Documents and Settings\Vlada\Desktop\MBR.dat”
13:01:31.625 The log file has been saved successfully to “D:\Documents and Settings\Vlada\Desktop\aswMBR.txt”

system · March 19, 2015, 5:04pm

I believe I’m done and waiting for help at this point. Please let me know if I’ve missed anything. Thanks!

essexboy · March 19, 2015, 6:03pm

Sorry about the pictures MBAM has just updated and I am in the process of making new screen shots

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CHR HKU\S-1-5-21-1275210071-1844823847-839522115-1004\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKU\S-1-5-21-1275210071-1844823847-839522115-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "about:newtab" <======= ATTENTION BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> D:\Program Files\Java\jre7\bin\ssv.dll No File Toolbar: HKU\S-1-5-21-1275210071-1844823847-839522115-1004 -> No Name - {09900DE8-1DCA-443F-9243-26FF581438AF} - No File S1 filyzrtb; \??\D:\WINDOWS\system32\drivers\filyzrtb.sys [X] S1 gxeyijwa; \??\D:\WINDOWS\system32\drivers\gxeyijwa.sys [X] S1 ihbisuuf; \??\D:\WINDOWS\system32\drivers\ihbisuuf.sys [X] S1 itjaludd; \??\D:\WINDOWS\system32\drivers\itjaludd.sys [X] U5 WinRM; D:\WINDOWS\System32\svchost.exe [14336 2008-04-14] (Microsoft Corporation) 2015-03-16 19:55 - 2015-03-16 23:16 - 00000000 ___HD () D:\Documents and Settings\All Users\Application Data\{A5BBBFE0-249A-420B-8F82-DD2D55E928B9} CustomCLSID: HKU\S-1-5-21-1275210071-1844823847-839522115-1004_Classes\CLSID\{9E2E378D-FF90-485D-87D1-A33E29CD3593}\InprocServer32 -> D:\Documents and Settings\All Users\Application Data\{A5BBBFE0-249A-420B-8F82-DD2D55E928B9}\d3d10cor (the data entry has 13 more characters). HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver" D:\Documents and Settings\All Users\Application Data\{A5BBBFE0-249A-420B-8F82-DD2D55E928B9} D:\WINDOWS\system32\drivers\filyzrtb.sys D:\WINDOWS\system32\drivers\gxeyijwa.sys D:\WINDOWS\system32\drivers\ihbisuuf.sys D:\WINDOWS\system32\drivers\itjaludd.sys Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

system · March 19, 2015, 7:37pm

(Recording everything just in case.)

FRST crashed midprocess, ran fine the second time. Got some messages from my PC that some files such as cookies cannot be deleted. Completed OK, log attached.

AdwCleaner failed to download from bleepingcomputer.com, downloaded fine from author’s site. Here’s the log.

AdwCleaner v4.112 - Logfile created 19/03/2015 at 15:25:33

Updated 09/03/2015 by Xplode

Database : 2015-03-05.1 [Local]

Operating system : Microsoft Windows XP Service Pack 3 (x86)

Username : Vlada - VLADA-NOTE

Running from : C:\My Documents\Downloads\adwcleaner_4.112.exe

Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

-\ Internet Explorer v8.0.6001.18702

-\ Mozilla Firefox v31.0 (x86 en-US)

-\ Google Chrome v41.0.2272.89

[D:\Documents and Settings\Vlada\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[D:\Documents and Settings\Vlada\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

AdwCleaner[R0].txt - [8938 bytes] - [17/03/2015 14:34:16]
AdwCleaner[R1].txt - [1273 bytes] - [19/03/2015 15:22:10]
AdwCleaner[S0].txt - [9279 bytes] - [17/03/2015 14:38:48]
AdwCleaner[S1].txt - [1204 bytes] - [19/03/2015 15:25:33]

########## EOF - D:\AdwCleaner\AdwCleaner[S1].txt - [1263 bytes] ##########

essexboy · March 19, 2015, 7:50pm

Nice, how is the computer behaving now ?

system · March 19, 2015, 8:01pm

No URL:mal messages in the past hour, but they’ve only been coming up every couple of hours or so. Let’s wait a bit and see what happens, shall we? Thanks for your help so far!

essexboy · March 19, 2015, 9:07pm

Let me know when you are happy and I will tidy up

system · March 19, 2015, 9:30pm

If nothing happens in the next hour or so, do you think it’s safe to call it fixed?

essexboy · March 19, 2015, 10:25pm

Methinks so, but to be sure use the computer as usual until tomorrow

system · March 19, 2015, 11:04pm

Allrighty then, I’ll turn it off at night and report back tomorrow if anything strange happens on startup. If not, I’m calling this the fastest problem fix ever. Thanks a million, essexboy! I’m amazed you do this for free. Hey, I got some nasty bugs in my apartment; got a fix to get rid of those too?

essexboy · March 20, 2015, 1:00pm

I normally advocate a very big spider for that sort of problem

system · March 20, 2015, 4:16pm

That’s a case of the cure being worse than the disease… Anyway, the computer went off last night and on again this morning without incident and seems to be working fine. Thanks again, essexboy! You’re the absolute best.

essexboy · March 20, 2015, 5:53pm

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

system · March 20, 2015, 10:38pm

Fabulous! I feel like I’m in a castle with thick wall - a perfect setting for a damsel in distress. Going to have to look at what Java does before I figure out what to do with it. Everything else is installed and running. Thanks again! :-* :-* :-*

essexboy · March 21, 2015, 11:55am

My pleasure