Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 COM Surrogate - dllhost.exe *32


  • This topic is locked This topic is locked
13 replies to this topic

#1 surlythedwarf

surlythedwarf

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 01 October 2014 - 10:54 PM

I looked and could not find a forum for this that wasn't closed. I apologize if this is the wrong place for this. Working on wife's computer now after fixing Kindle issue, Ubuntu issue, e-mail, issue, and wii issue, so this has become really painful.

I don't know what was done to bring this on. Basically what is happening now running windows 7 - AVG anti virus - had Spybot on it, but removed it because I thought it may be making connections back out to the Internet, but was wrong.

 

Starts up fine, will run fine for about 5-7 minutes then you can literally hear the processor tach up to 100% and maintains 100%. Opening task manager reveals dllhost.exe32 about 15-20 of the same processes. They point back to the syswow64 folder. Trying to kill the process is pointless as it just keeps coming back. Unplug network cable (wired connection) and I am able to kill the processes, machine runs normally. Plug cable back in and 5-7 minutes later 15-20 dllhost files reappear. I read some of the other forums on bleepingcomputer, but don't want to jump ahead. Even though I have already run spybot,AVG, MGtools, Roguekiller, Tssd utility, and other Microsoft suggested software with no avail.

 

So I am here in desperation. I have completed what I assume is the first step to run FRST64 and am posting the logs. I am on Eastern time so I am beat from the day, but will keep going with this until the problem is solved so that this will not become a dead thread.I do have to copy software from one computer and tranfer to the afflicted computer because I can not download anything on the bad on processor gets taxed. Oh yeah and I can view any evens in event monitor the snap in fails, also now get the xviewer or what the break out command line tool Windows has can not run - Ugh!

 

Thanks for your ear and your help in advance!

Attached Files


Edited by hamluis, 02 October 2014 - 05:30 AM.
Moved from Win 7 to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 surlythedwarf

surlythedwarf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 03 October 2014 - 03:06 PM

just checking back make sure topic doesn't get closed. This is still an issue.



#3 surlythedwarf

surlythedwarf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 04 October 2014 - 10:43 PM

Keeping hope alive!



#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:32 AM

Posted 06 October 2014 - 10:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/550521 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 surlythedwarf

surlythedwarf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 07 October 2014 - 12:19 AM

Hello, 
I appreciate your time and help immensely! Helpbot has instructed me to run DDS on the effected machine. I am pasting the results here.

  


It is still an issue. Thanks

Attached Files



#6 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:32 AM

Posted 07 October 2014 - 01:09 AM

Hello surlythedwarf and thanks for being patient

 

 

Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.

  • Copy the entire content of the codebox below and paste into the notepad document:
     
    start
    CloseProcesses:
    HKU\S-1-5-21-4151191543-299497081-1580307124-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
    CustomCLSID: HKU\S-1-5-21-4151191543-299497081-1580307124-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
    SearchScopes: HKLM - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = 
    SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKLM - {E78F59AD-C2E9-47F6-B79E-CE24D2A618AC} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
    SearchScopes: HKLM-x32 - DefaultScope {6460EE2A-9240-4D8A-993B-4497357E1F76} URL = 
    SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKLM-x32 - {E78F59AD-C2E9-47F6-B79E-CE24D2A618AC} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
    SearchScopes: HKLM-x32 - {ef80d754-fb77-4a7f-be75-489beebb20c9} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^RG^xdm002^S01645^us&si=CKDPwa2UyrACFYFo4Aod1GJ9Yw&ptb=33F599E8-D309-4B2D-8F49-8463CE5076D6&ind=2012061222&n=77ed9e26&psa=&st=sb&searchfor={searchTerms}
    SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?gd=&ctid=CT3325111&octid=EB_ORIGINAL_CTID&ISID=MD11ED3F3-B053-467E-808A-E3D4A78B4E65&SearchSource=58&CUI=&UM=5&UP=SPAF49027A-37CE-4D92-B705-1C821C8E85F6&q={searchTerms}&SSPV=
    SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?gd=&ctid=CT3325111&octid=EB_ORIGINAL_CTID&ISID=MD11ED3F3-B053-467E-808A-E3D4A78B4E65&SearchSource=58&CUI=&UM=5&UP=SPAF49027A-37CE-4D92-B705-1C821C8E85F6&q={searchTerms}&SSPV=
    SearchScopes: HKCU - {81B13D3F-232C-414C-8F7B-D844121961F6} URL = 
    SearchScopes: HKCU - {C1EE7C51-D289-444C-B3DA-FC46C3F72ACE} URL = 
    SearchScopes: HKCU - {DA26DF58-EB82-47D7-8B46-5AFE7FCCBF99} URL = 
    SearchScopes: HKCU - {E78F59AD-C2E9-47F6-B79E-CE24D2A618AC} URL = 
    BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
    BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No File
    Toolbar: HKLM-x32 - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
    Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
    Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    cmd: type C:\Users\dmalloy\Desktop\RKreport[0]_D_09302014_131322.txt
    C:\Windows\Tasks\SmartPCFix Task.job
    C:\Windows\Tasks\PC Optimizer Pro64 startups.job
    end
    

     

  • Click FileSave As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

 

Step 2

 

Scan with FRST again and npost the newest FRST.txt for review


Edited by thisisu, 07 October 2014 - 01:28 AM.


#7 surlythedwarf

surlythedwarf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 07 October 2014 - 03:19 PM

 I ran both fix and FRST again here are the text files.

 

Thanks Again!

Attached Files



#8 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:32 AM

Posted 07 October 2014 - 07:26 PM

Step 1

 

GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Please download Malwarebytes Anti-Malware Free to your Desktop.
  • Double-click mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the program.
  • Launch the program and select Update.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply.

 

Step 2

 

Please download adwcleaner.png AdwCleaner (by Xplode) and save it to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select "Run As Administrator"
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • After rebooting, a log file (that is saved in C:\AdwCleaner[S#].txt) will open automatically.
    Copy and paste the contents of that logfile in your next reply.

 

Step 3

 

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

___

 

I should see the following reports in your next replies. Let me know how your system is running at this point.

  • -Log from Malwarebytes
  • -Log from AdwCleaner
  • -Log from JRT


#9 surlythedwarf

surlythedwarf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 07 October 2014 - 11:45 PM

I was able to install and update Malwarebytes before the processor spiked. I must have used Malwarebytes for a previous problem like a year ago. My trial period had expired, but I was still able to update and scan, and apply fixes. It seemed after I applied fixes in Malwarebytes the machine is running better. I went through the rest of your directions and have attached the logs. I kept the machine attached to the network (cable plugged in) and have not seen a spike in dllhost processes. The machine seems to be running clean now. I have been able to browse with no problem as well. I am assuming the problem has been cleared. I will continue to monitor. I really appreciate your help! 

Attached Files



#10 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:32 AM

Posted 08 October 2014 - 09:46 AM

The problem should have been cleared after the FRST fix, the other 3 tools found some adware mostly.

 

Please scan with TDSSKiller

Download it to your desktop

Open TDSSKiller

Accept both agreements

Click Change Parameters

Add a checkmark to "Detect TDLFS file system". Leave the other settings alone. Press OK when finished.

Click the Start Scan button.

Open Windows Explorer and find the report of the TDSSKiller scan at C:\TDSSKiller.version_month.day.year_XX.XX.XX_log.txt

Please attach this log to your next post

 

Continue monitoring your computer for the next few days and update me on the status of your computer.

TDSSKiller is the last scan I'd have you run unless you are still experiencing problems.



#11 surlythedwarf

surlythedwarf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 08 October 2014 - 04:12 PM

The machine has been running without issue since my last post. I ran TDSSKiller and made the modification to the parameter. It ran through without errors. I have attached the log as requested. I will continue to monitor for a couple days and report back for closure of the issue. Again, I really appreciate your time and help! 

Attached Files



#12 surlythedwarf

surlythedwarf
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 13 October 2014 - 12:08 AM

Checking back...The computer has been in use and running real good. Thanks again for your help! You have no idea of the amount of frustration you have saved me! I really appreciate your expertise! I think this case is closed!



#13 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:32 AM

Posted 13 October 2014 - 04:21 AM

Great   :thumbup2:

 

1. Delete FRST

2. Delete the C:\FRST folder

3. Ensure you have the latest version the following applications if you use them. The outdated versions of these applications are commonly used to infect computers: 

  • Adobe Flash Player
  • Adobe Reader
  • Java
  • Microsoft Silverlight

4. No matter which browser you decide to use, I highly recommend this browser extension which effectively blocks annoying banners, pop-ups, and video ads - even on Facebook and YouTube: Adblock Plus.

5. A couple of small yet highly effective programs I recommend are: SpywareBlaster and CCleaner Slim.

6. Finally, delete your old (potentially infected) system restore points and create a new one. If you need help with this, click here.

 

Be safe !



#14 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:32 AM

Posted 13 October 2014 - 04:21 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users