Need help removing a computer threat!

[Ucinrus]

So for the past few Days I have been trying to remove what I believe is a virus/threat on my computer. I've done some research before coming to a forum and the fixes others have used isn't working for my specific problem.

So in my Task manager Processes I have about 9+ dllhost.exe that start at 3k memory, and if they sit there for a bit Ive seen a bunch go into the 300k+ range, and even one at 900k+.

Here is a picture of my processes http://i.imgur.com/nlXLVdo.png

Also, Malwarebytes ANti-Malware will pop up with a notification every now and then saying it has "successfully blocked an outgoing signal" or something with a port number and saying its from dllhost.exe.

Another thing, is it will tab me from anything I am currently viewing and pop up with a Small GUI box saying how Windows Internet Explorer isnt working/Com surragate isnt working asking me to leave page or stay on the page.

Ive tried running many programs such as AVG scan, spy bot search and destroy, Rouge Killer, and each time they find some stuff and I get excited thinking I finally fixed the problem but this just keeps persisting through everything I try.

So, seeing if any friendly voices can give me some help
Hope I provided enough information.

ALSO, Ive wanted to try and do a System restore point before this happened but I apparently have 0 Restore points!

[Deleted]

Well you might be able to investigate this further if you use something better than the standard task manager - Process Explorer:
http://technet.microsoft.com/en-us/s.../bb896653.aspx

Don't forget to activate 'show processes from all users' from its file menu and it should provide you with a lot more details about those processes including the parent process, parameters and open files/handles.
That should give you a better idea how and why those are running.

[Ucinrus]

So I downloaded Process Explorer and it led me to finding this path in my Appdata \SOWRBPQ\SCWVIYS\WOW.INI which was a textfile with some stuff saying "on click" and had a server path or something. I wish I saved it but I deleted the info inside of it, tried killing the dllhost processes but then they went crazy for a sec so I killed my explorer process, re launched it and they all seemed to be gone ! So think its fixed, wonder what that file was trying to do >.>

[Deleted]

Now if the system got infected that means there is a way for it to get infected again. Anyway format and reinstall from a reliable source is the only good way of removing threats.

[Hottage]

What anti-virus are you using?

[Ucinrus]

Atm I downloaded AVG free, but my roommate has Avast which he likes so I might try that?

- - - Updated - - -

And Crista could you elaborate? I mean, I don't think the system got infected but then again how can I tell?

[Deleted]

So I downloaded Process Explorer and it led me to finding this path in my Appdata \SOWRBPQ\SCWVIYS\WOW.INI which was a textfile with some stuff saying "on click" and had a server path or something. I wish I saved it but I deleted the info inside of it, tried killing the dllhost processes but then they went crazy for a sec so I killed my explorer process, re launched it and they all seemed to be gone ! So think its fixed, wonder what that file was trying to do >.>

Might be this one (or a variant):
http://home.mcafee.com/virusinfo/vir...y=3583422#none

The following files have been added to the system:

%TEMP%\badkfeho.exe:del
%WINDIR%\Tasks\Security Center Update - 135663007.job
%TEMP%\sprpqdw\srpohpm\wow.dll
%TEMP%\sprpqdw\srpohpm\wow.ini
%WINDIR%\SYSTEM32\naodqyuzd.exe
%APPDATA%\Ivikefe\ivhace.exe

The following files were temporarily written to disk then later removed:

%TEMP%\tmp1ed9d2da.bat
%TEMP%\badkfeho.exe
%TEMP%\dkfehoji.exe

The following registry elements have been created:

HKEY_CURRENT_USER\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\
HKEY_CURRENT_USER\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32\
HKEY_CURRENT_USER\SOFTWARE\CLASSES\CLSID\
HKEY_CURRENT_USER\SOFTWARE\MWMSCA\
HKEY_LOCAL_MACHINE\SOFTWARE\MWMSCA\

The following registry elements have been changed:

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\EFS\CURRENTKEYS\NUMBACKUPATTEMPTS = 4294967295
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\LYYNSUIQ = "%APPDATA%\Ivikefe\ivhace.exe"
HKEY_CURRENT_USER\SOFTWARE\MWMSCA\LICENSE = 999
HKEY_CURRENT_USER\SOFTWARE\MWMSCA\TASKS
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DIRECTDRAW\MOSTRECENTAPPLICATION\ID = 1374709547
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DIRECTDRAW\MOSTRECENTAPPLICATION\NAME = badkfeho.exe
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\LYYNSUIQ = "%APPDATA%\Ivikefe\ivhace.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\MWMSCA\LICENSE = 999
HKEY_LOCAL_MACHINE\SOFTWARE\MWMSCA\TASKS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\CONTROL\SESSION MANAGER\SUBSYSTEMS\WINDOWS = %WINDIR%\SYSTEM32\csrss.exe ObjectDirectory=\Windows SharedSection=[private subnet],512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

The applications attempted the following network connection(s):

67.50.19.**:80
hxxp://sdjghdjfgjfghh.com/b/eve/*****
109.163.239.***:80
188.165.232.**:80
hxxp://188.165.232.20/19ad89bc3e3c9d7ef68b89523eff1987/3.0/050/584cabc6-b3f0-4d52-b7e2-3ffbf17c3258/*****
hxxp://sdjghdjfgjfghh.com/b/opt/*****

So there might be still some more work to do for a clean system - either manually or with program that can remove this threat automatically.

Also your system definitely was (or still is) infected, so as Crista said the only sure way to clean it is a fresh install, however removing the detected threat may be enough.

[Yunru]

Use windows search and type dllhost.exe in it. If any of them is not in C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} its a virus.

What you do is to shut it down in task managed and then delete it (if you dont you will probaly get a error -- this program is runing bla bla bla).

[Ucinrus]

Well Ill do another Scan to see if it finds anything(though it didnt pick up this problem in the first place), and Descense they were all in my System32 folder(saying that it was the path) but I guess it was masking it or idk. And by Fresh install do you mean my OS cause I dont have the disk, though my roommate said I could just write down my Product key in the Systems info(which apparently I don't have)

[Tackhisis]

Why do you use an administrative account for everyday work?

As you obviously stole your OS, why didn't you do so for a non-home version?

Why don't you use built-in methods of protection?

Why don't you install security updates?

[Ucinrus]

Why do you use an administrative account for everyday work?

Bad habit I guess, just easier to run things as Admin. So what, make another profile non admin and use that?

[Hottage]

Bad habit I guess, just easier to run things as Admin. So what, make another profile non admin and use that?

That is generally accepted best practices, but in reality very few people do it.

[Ucinrus]

So would I have to Move my files to it or what? Would it be simple or?