dllhost.exe *32 COM surrogate virus

Jeh0

New Member
Thread author
Verified
Oct 31, 2014
38
I need assistance to eliminate the dllhost.exe *32 COM surrogate virus.
Another symptom, get message saying your security settings do not allow this download.
 
Last edited:

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
Please download Farbar Recovery Scan Tool (
FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
 

Jeh0

New Member
Thread author
Verified
Oct 31, 2014
38
IE and the DVD didn't work but I did get the Farbar to run using Chrome. The two reports are attached. Thanks.
 

Attachments

  • FRST.txt
    46.5 KB · Views: 34
  • Addition.txt
    28.6 KB · Views: 34
Last edited:

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Code:
Start
CustomCLSID: HKU\S-1-5-21-959614479-2053488890-3420463721-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
HKU\S-1-5-21-959614479-2053488890-3420463721-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
C:\ProgramData\@system3.att
C:\Users\Teresa2\AppData\Roaming\FrameworkUpdate7
C:\ProgramData\@system.temp
C:\Users\Teresa2\AppData\Roaming\麽鎒駓覜
C:\ProgramData\Windows Genuine Advantage
EmptyTemp:
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
 

Jeh0

New Member
Thread author
Verified
Oct 31, 2014
38
How long should it run? I am still seing dllhost.exe*32 COM Surrogate still replicating and the CPU is at 100% but I don't see any activity from the FRST process. Is this normal? It's been about 15 minutes. Thanks.
 

Jeh0

New Member
Thread author
Verified
Oct 31, 2014
38
Apparently the "Fix" command didn't start it the first time, I noticed that with other commands, I believe due to the virus. I clicked on it again and this time it clearly did start and ran completely, as well as the reboot. Attached is the log.
 

Attachments

  • Fixlog.txt
    2.1 KB · Views: 31

Jeh0

New Member
Thread author
Verified
Oct 31, 2014
38
I've been checking several things. The dllhost.exe*32 COM surrogate is not replicating or running anymore. However, I am getting the same error message when trying to download some attachments or, for example, a virus cleaner such as Malwarebytes. The message says, "Your security settings do not allow this file to be downloaded." I hadn't gotten that message before, so I attributed that to the virus. It doesn't give me any option to change a setting or go ahead with the download, just close the window. I am currently using Microsoft security essentials. Is that a common message with that virus protection? I had to switch from McAfee a couple weeks ago when the subscription expired.
Thanks.
 

Jeh0

New Member
Thread author
Verified
Oct 31, 2014
38
The virus must have reset settings in IE 11. I re-ran Malwarbytes and SuperAntiSpyware and all was clean. I uninstalled IE 11 and reinstalled, with same results. I then changed Custom Level setting for Downloads in Internet Options settings for IE 11 and I can get downloads. I didn't manually change this initially, so some virus may have changed some IE settings prior to all the cleaning. Thank you so much for eliminating the dllhost.exe*32 COM Surrogate virus. That's a nasty and prolific one apparently. Thanks much!!
 

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
checkmark.png
Remove disinfection tools
checkmark.png
Create registry backup
checkmark.png
Purge System Restore

Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.


Cheers!
 
  • Like
Reactions: Jeh0

Jeh0

New Member
Thread author
Verified
Oct 31, 2014
38
I can't believe this. I wasn't on the computer all day long, just got on and the dllhost.exe *32 COM Surrogate virus is back. Where is this coming from?!? Can you help me get rid of this again? Thanks.
 

Jeh0

New Member
Thread author
Verified
Oct 31, 2014
38
I downloaded the Farbar again and here are the two files.
It looks like this virus does change the settings in IE 11, specifically the Download setting in Internet Options, since it couldn't download the Farbar again.
 

Attachments

  • FRST.txt
    49.8 KB · Views: 34
  • Addition.txt
    30.4 KB · Views: 27

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Code:
Start
C:\Users\Teresa2\AppData\Roaming\麽鎒駓覜
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.





==============================





Scan with Combofix:
  • Please download ComboFix by sUBs and save it to your Desktop.
    You may read how Combofix works here.
  • Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.
  • Run ComboFix. Click on I Agree! & follow the prompts.
    Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
  • When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
    (typical log location: C:\ComboFix.txt )
 

Jeh0

New Member
Thread author
Verified
Oct 31, 2014
38
I have run the FRST/FRST64 fix and the ComboFix and the resulting logs are attached. Thanks much.
 

Attachments

  • Fixlog.txt
    764 bytes · Views: 26
  • ComboFix.txt
    25.4 KB · Views: 56

Jeh0

New Member
Thread author
Verified
Oct 31, 2014
38
Earlier, when I first logged onto my email, a popup with a survey came up, without me opening an email. I just checked off junk mail and deleted them, and the popup disappeared. That didn't happen normally until after this virus started. When I checked the task manager just now, I believe there was a dllhost.exe*32 COM Surrogate which quickly disappeared, but now I just got a pop-up[ window that is (supposedly) from McAfee and it says" Trojan Detected, Artemis!F551627600A8 Quarantined From: C:\Users\Teresa2\Desktop\ComboFix.exe McAfee detected an infected file on you PC. Restart your PC so we can fix it."
Should I restart the PC?
 
Last edited:

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
Should I restart the PC?

False positive, Combofix considered to be a threat


It is necessary to uninstall ComboFix :
  • Click Start (or
    VistaStartButton.png
    ) then Run.


    On Windows7 or Vista you may use Start Search field if Run is not available.
  • In the line of text type in (Copy) the following:

    Code:
    ComboFix /Uninstall
    Note that there is a space between " ComboFix " and " /Uninstall " .
  • then click OK (or press Enter ).

Wait for the uninstall process is complete.








The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
checkmark.png
Remove disinfection tools
checkmark.png
Create registry backup
checkmark.png
Purge System Restore

Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top