Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe *32 COM Surrogate


  • Please log in to reply
16 replies to this topic

#1 proaspen

proaspen

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Haven, MI
  • Local time:12:37 PM

Posted 10 November 2014 - 01:59 PM

Hello Everyone!
 
I'm a new user and I need help/guidance on how to repair my wife's computer, which, I believe is infected with malware posing as the topic title.  Did some internet research on this, and decided to come to this forum.  Lots of "solutions" out there, but I'm a straight forward user, not a sys admin.  There were postings about downloading and running COMBOFIX, and then there were warnings that only sys admin experts should run this program.
 
So, I stopped the research and decided to come here for help.
 
My wife's laptop computer is a Sony VAIO, running Window 7.  Last week, I believe it was infected with a different malware.  I ended up restoring from an earlier date, and that repetitive process stopped.  It was a process resemblingn Google Chrome, but Chrome was not installed on her computer.
 
The issue she is having now is the same. There is a repetitive process (see topic name) that runs, and duplicates itself until the system reports a high CPU usage warning.  Going to the Task Manager ™ you can see a number of them.  The amount varies as you watch TM.  Right now there is seven (7) of them.  You can kill them, but after a few moments they reappear.
 
Okay, I think that's enough information for now.  Need an expert to patiently work with me and step me through whatever I need to do to clean her system.
 
Appreciate your help in advance!
 
V/R
Gary P.
aka proaspen

Edited by Queen-Evie, 11 November 2014 - 04:18 PM.
moved from Windows 7 to Am I Infected


BC AdBot (Login to Remove)

 


#2 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 AM

Posted 10 November 2014 - 02:35 PM

Have to tried online scans like eset etc? You could try Norton Power Eraser free stand alone tool. Be sure to watch the video there. https://support.norton.com/sp/en/us/threat-removal-solutions/current/info?entsrc=redirect_pubweb



#3 proaspen

proaspen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Haven, MI
  • Local time:12:37 PM

Posted 10 November 2014 - 02:53 PM

No, have not...will review info...tks.



#4 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 AM

Posted 10 November 2014 - 05:15 PM

There is a chance it could be a virus. However, there is a known issue with certain chipsets running Internet Explorer 10 and KB2670838 update causing dllhost.exe to eat up memory. If you use IE 10 be sure to check for that KB listed in uninstall programs. Uninstall both and then download IE 11.

 

It could also be other older programs installed especially ones running in compatibility mode. If you have any programs running on auto during startup that do run in compatibilty mode, then I would suggest uninstalling them.

 

I also read that certain versions of NERO burner software can cause issues as well.



#5 proaspen

proaspen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Haven, MI
  • Local time:12:37 PM

Posted 11 November 2014 - 04:06 PM

Technonymous:  followed through.  Wife's system was running IE11.  Decided to remove it (after first installing Google Chrome).  Also removed the KB you mentioned.  Still having issues with the COM Surrogate files showing up.  Killing the processes is useless as they reappear.  The number of them goes up and down.  Some have extremely high memory (one was nearly a gig before I terminated it...).  Beginning to think malware is the culprit.

 

Something I noticed while I had the two laptops (hers and mine) sitting side-by-side.  Mine is an older Dell running Vista.  Her's a newer Sony VAIO running Win7.  Hers is getting a bunch of High priority attacks successfully blocked by our Norton Anti-Virus.  I checked the logs on my computer and I'm not seeing much at all, a bunch of Info and some low priority stuff.  Nothing like what is happening to hers.  Something is aggressively going after it.

 

I appreciate all the comments I'm getting and trying to follow through.  Was thinking maybe its time for me to run various tools and send logs?

 

Let me know if someone is willing to help me with this.

 

V/R

Gary P.



#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:37 AM

Posted 11 November 2014 - 04:44 PM

 
newtool3_zpsae6d2122.png
 
Please download Powelikscleaner (by ESET) and save it to your Desktop.
 
1.  Double-click on ESETPoweliksCleaner.exe to start the tool.
 
2.  Read the terms of the End-user license agreement and click Agree.
 
3.  The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
 
newtool1_zpsa1caa06e.png
 
4.  If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
 
newtool2_zps0e6d39b1.png
 
The tool will produce a log in the same directory the tool was run from.
 
Please copy and paste the log in your next reply.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 AM

Posted 12 November 2014 - 09:10 AM

It could be that she is using large thumbnail views. They will eat up memory like no tomorrow. Paste this into the run/search box and hit enter...C:\Windows\System32\rundll32.exe shell32.dll,Options_RunDLL 7  From there click the buttons Reset Folders and Restore Defaults. See if that calms down dllhost.exe



#8 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:37 AM

Posted 12 November 2014 - 09:55 AM

@technonymous

 

The COM Surrogate infection she posted about is another name for Poweliks, this runs the dllhost.exe use up there.  If the ESET Powelikscleaner should resolve this.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#9 proaspen

proaspen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Haven, MI
  • Local time:12:37 PM

Posted 12 November 2014 - 12:54 PM

Arachibutyrophobia:  Thanks for getting on board.  Sorry for the delay in getting back to you.  Ran the tool, it found one.  Followed instructions.  Here is the log (Standing by for next instruction...):

 

[2014.11.12 12:42:54.210] - Begin

[2014.11.12 12:42:54.210] - 
[2014.11.12 12:42:54.216] -     ....................................
[2014.11.12 12:42:54.216] -   ..::::::::::::::::::....................
[2014.11.12 12:42:54.218] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Poweliks
[2014.11.12 12:42:54.219] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 1.0.0.1
[2014.11.12 12:42:54.220] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: Oct 15 2014
[2014.11.12 12:42:54.221] -  .::EE:::::::::::::SS:.EE..........TT......
[2014.11.12 12:42:54.223] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2014.11.12 12:42:54.223] -   ..::::::::::::::::::....................    1992-2013. All rights reserved.
[2014.11.12 12:42:54.223] -     ....................................
[2014.11.12 12:42:54.223] - 
[2014.11.12 12:42:54.224] - --------------------------------------------------------------------------------
[2014.11.12 12:42:54.224] - 
[2014.11.12 12:42:54.224] - INFO: OS: 6.1.7601 SP1
[2014.11.12 12:42:54.225] - INFO: Product Type: Workstation
[2014.11.12 12:42:54.225] - INFO: WoW64: True
[2014.11.12 12:42:54.225] - INFO: Machine guid: 8AC2136C-6DE3-429F-96AA-19342FD73B58 
[2014.11.12 12:42:54.226] - 
[2014.11.12 12:43:05.367] - INFO: Scanning for system infection...
[2014.11.12 12:43:05.367] - --------------------------------------------------------------------------------
[2014.11.12 12:43:05.368] - 
[2014.11.12 12:43:05.368] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.12 12:43:05.384] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.12 12:43:05.449] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.12 12:43:05.463] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.12 12:43:05.463] - INFO: Processing classes...
[2014.11.12 12:43:05.463] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}]
[2014.11.12 12:43:05.464] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{047466F1-82AE-455A-AFC4-D3AC463FBF6B}]
[2014.11.12 12:43:05.464] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}]
[2014.11.12 12:43:05.464] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{49BBAA3C-C574-419E-8378-783C362E9C15}]
[2014.11.12 12:43:05.464] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{4c60e5ab-5c68-4c59-abaa-885010b24b32}]
[2014.11.12 12:43:05.464] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}]
[2014.11.12 12:43:05.464] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}]
[2014.11.12 12:43:05.467] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}]
[2014.11.12 12:43:05.467] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.12 12:43:05.467] - WARNING: Found suspicous classid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.12 12:43:05.468] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.12 12:43:05.490] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.12 12:43:05.492] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.12 12:43:05.493] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.12 12:43:05.493] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.12 12:43:05.493] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.12 12:43:05.493] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.12 12:43:05.493] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.12 12:43:05.493] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.12 12:43:05.493] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2014.11.12 12:43:05.510] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.12 12:43:05.512] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.12 12:43:05.512] - INFO: Win32/Poweliks found
[2014.11.12 12:43:22.585] - INFO: process: dllhost.exe, pid 4156, parent 780
[2014.11.12 12:43:22.587] - INFO: process: dllhost.exe, pid 5908, parent 3312
[2014.11.12 12:43:22.587] - INFO: Terminated process pid = 5908
[2014.11.12 12:43:22.589] - INFO: process: dllhost.exe, pid 13920, parent 5908
[2014.11.12 12:43:22.590] - INFO: Terminated process pid = 13920
[2014.11.12 12:43:22.590] - INFO: process: dllhost.exe, pid 16304, parent 13920
[2014.11.12 12:43:22.591] - INFO: Terminated process pid = 16304
[2014.11.12 12:43:22.592] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.12 12:43:22.593] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.12 12:43:22.594] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.12 12:43:22.595] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.12 12:43:22.595] - INFO: Processing classes...
[2014.11.12 12:43:22.595] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}]
[2014.11.12 12:43:22.596] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{047466F1-82AE-455A-AFC4-D3AC463FBF6B}]
[2014.11.12 12:43:22.596] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}]
[2014.11.12 12:43:22.596] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{49BBAA3C-C574-419E-8378-783C362E9C15}]
[2014.11.12 12:43:22.596] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{4c60e5ab-5c68-4c59-abaa-885010b24b32}]
[2014.11.12 12:43:22.596] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}]
[2014.11.12 12:43:22.596] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}]
[2014.11.12 12:43:22.596] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}]
[2014.11.12 12:43:22.596] - INFO: Processing clsid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.12 12:43:22.596] - INFO: Deleted classid [\Registry\User\S-1-5-21-3872061089-1975043658-3942632308-1005\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.12 12:43:22.684] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.12 12:43:22.684] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.12 12:43:22.684] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.12 12:43:22.684] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.12 12:43:22.685] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.12 12:43:22.685] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.12 12:43:22.685] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.12 12:43:22.685] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.12 12:43:22.685] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.12 12:43:22.685] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2014.11.12 12:43:22.686] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.12 12:43:22.686] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.12 12:43:22.686] - INFO: Cleaning status: 0
[2014.11.12 12:43:26.853] - End


#10 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 AM

Posted 12 November 2014 - 01:13 PM

@technonymous

 

The COM Surrogate infection she posted about is another name for Poweliks, this runs the dllhost.exe use up there.  If the ESET Powelikscleaner should resolve this.

 

I was thinking that the Nortons NPE would blow it away. After looking further Norton has a specific Poweliks removal tool as well. Thanks dc3.

 

http://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-0511-99


Edited by technonymous, 12 November 2014 - 01:26 PM.


#11 proaspen

proaspen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Haven, MI
  • Local time:12:37 PM

Posted 12 November 2014 - 01:28 PM

technonymous:  I did run Norton's NPE (was part of my Norton toolset).  It didn't find anything.



#12 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 AM

Posted 12 November 2014 - 02:05 PM

technonymous:  I did run Norton's NPE (was part of my Norton toolset).  It didn't find anything.

Yes, some of these viruses need a specific tool to remove them as dc3 suggested. Overall that doesn't mean NPE is bad. ESET has a tool as well as Norton and others I am sure. Once that is ran be sure to post another log.



#13 proaspen

proaspen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Haven, MI
  • Local time:12:37 PM

Posted 12 November 2014 - 02:14 PM

technonymous:  Clarification please.  You said "Once that is ran be sure to post another log."  What should I run next?



#14 proaspen

proaspen
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Haven, MI
  • Local time:12:37 PM

Posted 13 November 2014 - 10:02 AM

dc3 & technonymous:  Thank you for your assistance.  My wife's computer appears to be running normally now.  No more COM Surrogate processes, and no more virus attacks as before.  This is a great web site.  Take care.

 

Gary P.



#15 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:37 AM

Posted 13 November 2014 - 10:28 AM

Happy computing. :thumbup2:


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users