Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Com Surrogate dllhost.exe High Memory Usage


  • Please log in to reply
6 replies to this topic

#1 Bears

Bears

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 02 November 2014 - 10:41 AM

Hello

I'm running Windows 8 64 bit.

Internet Explorer 10 - I do NOT have update KB2670838

I also use Google chrome but still have same issue

 

My computer began running slowly a couple of days ago. I have Norton Internet security which indicated high COM Surrogate usage, it also has blocked several attacks including Trojan.Poweliks and Trojan,Adclicker

Norton Internet Security states that virus was 

c:windows/syswow/dllhost.exe

 

I have been forced to use Task Manager to End Task for COM Surrogate - however it continues to run several processes of COM Surrogate.

 

I ran the following to check for viruses /malware

 - Norton Internet Security - none found

- malwarebytes - some malware found and removed

- Spybot malware + virus found alot of malware and the following virus xtlkdjy.sys

It said it removed successfully.

- I ran "sfc/scannow" - the result stated some issues were not able to resolved

- I ran Kapersky root checker - did not find anything

 

I fear there is a trojan virus that remains undetected.

 

Thank you


Edited by hamluis, 02 November 2014 - 12:10 PM.
Moved from Win 8 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:04 AM

Posted 02 November 2014 - 11:11 AM

Please do the following.  It will be important to do these in the order they are requested.

 

Please run TDSSKiller.
 
Please download TDSSKiller from here and save it to your Desktop.
 
1.  Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
 
tdss1_zps90132559.png
 
2.  Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system.
 
If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
 
tdsskillermultiple_zps472c18eb.png
 
3.  Click Start Scan and allow the scan process to run.
 
tdss4_zps6792a13c.png
 
4.  If threats are detected select Cure (if available) for all of them unless otherwise instructed.
 
***Do NOT select Delete!
 
Click on Continue.
 
tdss5_zps98fc5887.png
 
5.  Click on Reboot computer.
 
Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply.
 
 

Please download and run RKill
 
RKill is an easy to use tool that kills known processes and removes Windows Registry entries that stop a user from using their normal security applications.  These settings will remain until the computer is rebooted, for this reason you must run the security application before the computer is rebooted.  
 
Please download RKill and install it.
 
When RKill is run it will display a console screen similar to the one below:
 
RKill_zps2e34d4b8.png
 
When RKill has finished running a log will be displayed showing all of the processes that were terminated by RKill.
 
Attention:  At this time you need to run your security applications listed below.
 
While RKill is running you may see a message from the malware stating that the program could not be run because it is a virus or is infected.  This is the malware trying to protect itself.  Two methods that you can try to get past this and allow RKill to run are:
 
1)  Rename Rkill so that it has a .com extension.
 
2)  Download a version that is already renamed as files that are commonly white-listed by malware. The main Rkill download page contains individual links to renamed versions.  
 
After the application has run successfully you should reboot the computer to restore the processes and Windows Registry entries. 
 
 

Please run Malwarebytes AntiMalware
 
Please download Malwarebytes Anti-Malware.  After clicking on the link the download will start automatically.
 
1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.
 
2)  Malwarebytes will automatically open.  If this is the first time you have run this version of Malwarbytes you will see an image like the one below.
 
mbam1_zps95cc812c.png
 
Click on Update Now, after Malwarebytes is updated click on Scan.
 
If this isn't the first time you have run this version, then you will see an image like the one below.  Click on Scan
 
mbam1_zps98e7fba9.png
 
You will be prompted to update Malwarebytes, to do so click on Update Now.
 
 mbam2_zps85f38f0c.png
 
3)  The scan will automatically run now.
 
malwarerun_zps9abd4ef1.png
 
 
4)  When the scan is complete the results will be displayed.  Click on Quarantine All, then click on Apply Actions
 
mbam4_zps23e52ad4.png
 
 
5)  To complete any actions taken you will be asked if you want to restart your computer, click on Yes
 
 mbam4_zps490948cc.png
 
6)  Please post the Malwarebytes log.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  When the log opens, scroll down toward the bottom of the log to Quarantined Items.  Copy and paste this in your next post.
 
 
 

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 Bears

Bears
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 02 November 2014 - 12:37 PM

Thank you for all the information.

I followed your steps in order - however nothing was detected

 

The other thing I've noticed is that Internet Explorer resets its security settings to a custom setting.

Also, I've been getting messages that Windows Powershell has stopped working.

 

Are there other things I can try?



#4 Bears

Bears
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 02 November 2014 - 04:40 PM

I did all items is order but was unable to copy logs or get to the command prompt. I have screenshots but I'm not sure how to past them into this topic.

 

Kapersky TDSSKiller found some "suspicious" items. The options were to delete or to copy to quarantine. I copied to quartine. The items are

 

BrYNCSvc (UnsignedFile.Multi.Generic)

IDriver T (UnsignedFile.Multi.Generic)

Intel® Capability Licensing Service Interface (UnsignedFile.Multi.Generic)

BrStsMon00 (UnsignedFile.Multi.Generic)

 

RKill stated the following:

 

* No malware servces found to stop.

* No malware processes found to kill.

* No issues found in the Regstry

* Windows Defender disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware" = dword:00000001

 

What else can I try? Thank you for your time and please help!



#5 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:04 AM

Posted 03 November 2014 - 09:17 AM

There are tools or techniques which cannot be used in this forum which will be needed to clean your computer.  For this reason you will need to open another topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum.
 
Before posting your topic there you will need to read and follow the instructions in the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help.
 
This forum is always busy, for this reason it may take a couple of days before a member of the Malware Removal Team will be able to get to your topic.  Do not add anything once you have posted your log.  The Malware Removal Team members look for topics which have not been addressed, if you post any additional information it will make it appear that the topic is being addressed.
 
After you have posted your new topic a Moderator will close this topic.  If after cleaning the infection it is determined that you have a software or hardware issue you can contact a Moderator to have your topic reopened. 

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 Bears

Bears
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 03 November 2014 - 09:27 AM

Okay will do. Thank you so much for your time and help!



#7 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:04 AM

Posted 03 November 2014 - 11:14 AM

You are more than welcome.  The members of the Malware Removal Team are very well trained, they are some of the best out there.  You are going to be in good hands.

 

It may take a couple of days for this topic to be picked up as the members of the MRT are extremely busy.  Do not bump you topic, this will make it appear that this topic has been addressed.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users