Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost/comsurrogate virus on windows 7


  • This topic is locked This topic is locked
5 replies to this topic

#1 comfycal

comfycal

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 12 February 2017 - 12:27 PM

Hello. For the past month or so, my computer has had moments where it randomly slows down until I open the task manager and see 2 instances of the process "commsurrogate." It regularly deletes itself whenever I open the task manager and the lag lets up, but it's been worse recently with more commsurrogate processes showing up. I have to keep my task manager open or else they'll just keep showing up and eating my memory. Same with "dllhost.exe" showing up and removing itself when I see it. 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 PM

Posted 12 February 2017 - 01:34 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] => [X]
CHR Extension: (BetterTTV) - C:\Users\Calvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2016-06-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Calvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-25]
CHR Extension: (Chrome Media Router) - C:\Users\Calvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-04]
OPR Extension: (BetterTTV) - C:\Users\Calvin\AppData\Roaming\Opera Software\Opera Stable\Extensions\deofbbdfofnmppcjbhjibgodpcdchjii [2016-01-19]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 PTSimBus; \SystemRoot\System32\drivers\PTSimBus.sys [X]
S3 PTSimHid; \SystemRoot\System32\drivers\PTSimHid.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
CustomCLSID: HKU\S-1-5-21-288663187-865454046-2718891224-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Calvin\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
FirewallRules: [TCP Query User{08AF534C-EF23-45D5-8464-B18C4C36EDD8}C:\users\calvin\downloads\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => C:\users\calvin\downloads\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{6A5D21CC-4352-451A-8F1B-665D25D511A8}C:\users\calvin\downloads\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => C:\users\calvin\downloads\runtime\jre-x64\1.8.0_25\bin\javaw.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 51 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418051F0}) (Version: 8.0.510 - Oracle Corporation)
===

Please let me know what problem persists with this computer.
---

#3 comfycal

comfycal
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 12 February 2017 - 07:25 PM

Hi. I uninstalled the old Java and installed the new one.

Fixlog.txt
 

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-02-2017
Ran by Calvin (12-02-2017 15:07:18) Run:1
Running from C:\Users\Calvin\Desktop
Loaded Profiles: Calvin (Available Profiles: Calvin)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM\...\Run: [] => [X]
CHR Extension: (BetterTTV) - C:\Users\Calvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2016-06-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Calvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-25]
CHR Extension: (Chrome Media Router) - C:\Users\Calvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-04]
OPR Extension: (BetterTTV) - C:\Users\Calvin\AppData\Roaming\Opera Software\Opera Stable\Extensions\deofbbdfofnmppcjbhjibgodpcdchjii [2016-01-19]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 PTSimBus; \SystemRoot\System32\drivers\PTSimBus.sys [X]
S3 PTSimHid; \SystemRoot\System32\drivers\PTSimHid.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
CustomCLSID: HKU\S-1-5-21-288663187-865454046-2718891224-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Calvin\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
FirewallRules: [TCP Query User{08AF534C-EF23-45D5-8464-B18C4C36EDD8}C:\users\calvin\downloads\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => C:\users\calvin\downloads\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{6A5D21CC-4352-451A-8F1B-665D25D511A8}C:\users\calvin\downloads\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => C:\users\calvin\downloads\runtime\jre-x64\1.8.0_25\bin\javaw.exe
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
C:\Users\Calvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped => moved successfully
C:\Users\Calvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Calvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
C:\Users\Calvin\AppData\Roaming\Opera Software\Opera Stable\Extensions\deofbbdfofnmppcjbhjibgodpcdchjii => moved successfully
HKLM\System\CurrentControlSet\Services\EagleX64 => key removed successfully
EagleX64 => service removed successfully
HKLM\System\CurrentControlSet\Services\PTSimBus => key removed successfully
PTSimBus => service removed successfully
HKLM\System\CurrentControlSet\Services\PTSimHid => key removed successfully
PTSimHid => service removed successfully
HKLM\System\CurrentControlSet\Services\xhunter1 => key removed successfully
xhunter1 => service removed successfully
HKU\S-1-5-21-288663187-865454046-2718891224-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4} => key removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{08AF534C-EF23-45D5-8464-B18C4C36EDD8}C:\users\calvin\downloads\runtime\jre-x64\1.8.0_25\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{6A5D21CC-4352-451A-8F1B-665D25D511A8}C:\users\calvin\downloads\runtime\jre-x64\1.8.0_25\bin\javaw.exe => value removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 12582912 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 85643728 B
Java, Flash, Steam htmlcache => 134029392 B
Windows/system/drivers => 7481036 B
Edge => 0 B
Chrome => 625659353 B
Firefox => 10335022 B
Opera => 507350736 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 239290 B
systemprofile32 => 560 B
LocalService => 3162 B
NetworkService => 0 B
Calvin => 22074071 B
 
RecycleBin => 32941077 B
EmptyTemp: => 1.3 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 15:08:47 ====

ReportRogue
 

RogueKiller V12.9.7.0 (x64) [Feb  6 2017] (Free) by Adlice Software
 
Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Calvin [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/12/2017 15:14:01 (Duration : 00:48:06)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 10 ¤¤¤
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-288663187-865454046-2718891224-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-288663187-865454046-2718891224-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-288663187-865454046-2718891224-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-288663187-865454046-2718891224-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD100 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1024 MB
1 - [MAN-MOUNT] Basic data partition | Offset (sectors): 2099200 | Size: 100 MB
2 - [MAN-MOUNT] Basic data partition | Offset (sectors): 2304000 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2566144 | Size: 942994 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1933817856 | Size: 9622 MB
User = LL1 ... OK
User = LL2 ... OK


#4 comfycal

comfycal
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 12 February 2017 - 07:27 PM

RogueKiller V12.9.7.0 (x64) [Feb  6 2017] (Free) by Adlice Software
 
Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Calvin [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/12/2017 15:14:01 (Duration : 00:48:06)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 10 ¤¤¤
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-288663187-865454046-2718891224-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-288663187-865454046-2718891224-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-288663187-865454046-2718891224-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-288663187-865454046-2718891224-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba13.msn.com/?pc=TNJB  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD100 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1024 MB
1 - [MAN-MOUNT] Basic data partition | Offset (sectors): 2099200 | Size: 100 MB
2 - [MAN-MOUNT] Basic data partition | Offset (sectors): 2304000 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2566144 | Size: 942994 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1933817856 | Size: 9622 MB
User = LL1 ... OK
User = LL2 ... OK


#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 PM

Posted 13 February 2017 - 08:22 AM

Was your problem solved?

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 PM

Posted 19 February 2017 - 10:19 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users