dllhost*32 COM surrogate virus

[Gary H]

COM surrogate virus

 

[argus]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

CloseProcesses:
CustomCLSID: HKU\S-1-5-21-1921318168-3897760291-1700651582-1005_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
HKU\S-1-5-21-1921318168-3897760291-1700651582-1005\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {A77A2EEB-83D9-48E2-96A9-F3ABF6AABE8A} URL = http://search.conduit.com/Results.aspx?ctid=CT3304763&SearchSource=45&UM=2&q={searchTerms}
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} -  No File
C:\ProgramData\Windows Genuine Advantage
C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
EmptyTemp:
CMD: bitsadmin /reset /allusers

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.





=========================================







Scan with Combofix:

• Please download ComboFix by sUBs and save it to your Desktop.
  You may read how Combofix works here.
  
• Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
  If you are unsure how to do this please read this or this Instruction.
  
• Run ComboFix. Click on I Agree! & follow the prompts.
  Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
  
• When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
  (typical log location: C:\ComboFix.txt )

 

[Gary H]

here is the fixlog

 

[argus]

Combofix?

 

[Gary H]

combofoxlog

 

[argus]

Is everything ok now?

 

[Gary H]

It seems to be OK. There is a dllhost.exe*32 COM surrogate running by SYSTEM. But just 1. Scanning a photo went normally and they didn't reproduce a bunch of others. Thanks.

 

[argus]

It is necessary to uninstall ComboFix :

• Click Start (or
  
  ) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
• In the line of text type in (Copy) the following:
  
  

  ComboFix /Uninstall

  Note that there is a space between " ComboFix " and " /Uninstall " .
  
• then click OK (or press Enter ).

Wait for the uninstall process is complete.




=================================






• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;

Remove disinfection tools

Create registry backup

Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

 

[Gary H]

I uninstalled combofix and downloaded and ran DelFix. Everything seems to be working fine.

I have 1 question. I still have a dllhost in the C:\windows\syswow64 folder and it starts whenever I restart the computer. it is in the task manager as dllhost.exe*32 COM surrogate. This is the COM surrogate from the exact location that was part of the virus. Should I be worried about this or is it a normal part of computer startup. Thanks so much for all your help.

-Gary