Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - drdancm

Pages: [1]
1
Malware removal help / Virtumonde, Win32.Adload.jm Out of Memory
« on: November 09, 2016, 09:29:53 PM »
Spybot 1.62 came up with this:

Error during check!
Win32.Adload.jm [6 - $AFC12AB3] (Out of memory)
Error during check!
Virtumonde [245 - $4A9C6736] (Out of memory)
Error during check!
Virtumonde [845 - $4A9C6736] (Out of memory)
Congratulations !
No immediate threats were found

Spybot had never shown anything like this before.
Avast, Malwarebytes, Spybot 2.4, & Rogue killer  fails to find any problems. With the exception of Avast, I also ran all of these programs in Safe Mode with no difference in outcome.

Spybot 1.62 came up with this:

Error during check!
Win32.Adload.jm [6 - $AFC12AB3] (Out of memory)
Error during check!
Virtumonde [245 - $4A9C6736] (Out of memory)
Error during check!
Virtumonde [845 - $4A9C6736] (Out of memory)
Congratulations !
No immediate threats were found

Spybot had never shown anything like this before.
Avast (including Boot time scan), Malwarebytes, Spybot 2.4, & Rogue killer  fails to find any problems. With the exception of Avast, I also ran all of these programs in Safe Mode with no difference in outcome.


I followed suggestions from Bleeping Computer etc. and ran the usual programs:
TDSSKiller, Hitman Pro, RKill, Emsisoft Emergency Kit, AdwCleaner. None of these helped at all.

I had removed these from another computer (one of these tools cleaned it up) which is now clean,
but I have no luck with the current machine.  Possibly there is a dslhost.exe problem which shows up, but disappears most of the time, before I can Endtask it.

Only Spybot 1.62 shows this malware, other programs including Spybot 2.4 fail to find it.
Any help would be appreciated.

Thanks,

2
RogueKiller PREMIUM / Re: Some Questions
« on: June 16, 2016, 09:39:35 PM »
I'm sorry for the late response but I was so busy with other matters it completely slipped my mind, now that the problem was resolved.  I appreciate your offer for the script, but I've already dealt wit that.

As for the additional security programs causing incompatibilities, I have not seen any and I have the very same, setup on at least 15 machines.

Once again I must thank your for the super prompt help response and overall terrific support for an excellent program which is priced low enough to be a real bargain.

Thanks Very much,

Dan

3
RogueKiller PREMIUM / Re: Some Questions
« on: June 06, 2016, 11:11:14 PM »
I'm very pleasantly surprised by your super prompt attention, and the idea that in fact my clients machine may not have the malware I've bee so worried about.

My experience with the dllhost.exe, is that it starts off rather quiet and then gradually gets worse and worse at slowing down the system. This machine has not slowed down and I was wondering if dllhost.exe showing up was perhaps the normal version doing it's job. However, it is extremely rare that I see it at all on all of the many normally functioning machines that work on, both in my office and those of my clients.

Therefore I was thinking that dllhost.exe was infected, but it had not fully "matured" yet.  And, as you may have noticed from the Roguekiller reports, Roguekiller detected and removed a bunch of other malicious software from this machine.

It would be terrific if in fact dllhost is not infected by Poweliks.

I've attached the reports you advised me to upload, as well as a task manager screen capture. On occasions I've seen 3 instances of dllhost.exe, but usually it is just one. If I end task the tree, it comes back either immediately or a bit later.

I see that there are pieces of Logmein that have not been properly uninstalled. I am currently using a licensed version of Teamviewer to support my clients.

Thank you for your generous help.

Dan

4
RogueKiller PREMIUM / Re: Some Questions
« on: June 06, 2016, 03:46:31 AM »
Thank you for your help.

When I click on Open Report, nothing happens, but after some checking I found the report under

C:\Windows\Program  Data\Rogue Killer\Logs

I hope this is the report you are asking for.  I attached the latest scan 6/5/2016 as well as one of the earlier ones 6/2/2016, just in case the old one is of some help.

I hope that you are not in the area of the terrible floods.

Thanks very much,

Dan


5
RogueKiller PREMIUM / Re: Some Questions
« on: June 03, 2016, 05:49:46 AM »
All of the advice I have found on the internet is rather old, therefore outdated, and none of the programs recommended (Eset Poweliks Remover, Symantec etc.) including Roguekiller is able to remove the current variant of  dllhost.exe  (Powelik) malware. In task manager you can see it pop up, you can endtask the tree, but it comes right back.

I am totally amazed and disappointed that none of the AVs or anti Malware programs detect it. I understand that it resides in the Registry. So what, most of the anti malware programs scan the Registry.

Roguekiller is my last resort, but it too has failed to remove it. Yes it found a bunch of malware and removed that, but that was probably just some other crap that Powelik let in.

Any help would be greatly appreciated.

Thanks,

Dan

6
RogueKiller PREMIUM / Some Questions
« on: June 03, 2016, 12:35:23 AM »
I purchased the Premium Technician Version yesterday.

Questions:
1 What is  "Scan Offline Registry". Does it mean I can remove the HD with the infected by dllhost.exe and use another computer to scan the registry of the OS on the infected HD?

If not, is it possible to make your software do that?


2 In the instructions for making the portable version say:

The file will be used then to gain access to premium features while doing your malware removal on your customer’s PC. To use that file, you need to use the command line parameter -portable-license path_to_the_file. You can also name it rk_config.ini and place it in the same directory as RogueKiller exe file.


What does you can also name "it" refer to?  The portable file ? Or a file saved with the command line parameter shown above?
Would you please explain it more clearly.

Thank you.

Pages: [1]