dllhost.exe *32 COM surrogate virus
- Thread starter Jeh0
- Start date
Please download Farbar Recovery Scan Tool (
) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Code:
Start
CustomCLSID: HKU\S-1-5-21-959614479-2053488890-3420463721-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
HKU\S-1-5-21-959614479-2053488890-3420463721-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
C:\ProgramData\@system3.att
C:\Users\Teresa2\AppData\Roaming\FrameworkUpdate7
C:\ProgramData\@system.temp
C:\Users\Teresa2\AppData\Roaming\麽鎒駓覜
C:\ProgramData\Windows Genuine Advantage
EmptyTemp:
EndNOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Apparently the "Fix" command didn't start it the first time, I noticed that with other commands, I believe due to the virus. I clicked on it again and this time it clearly did start and ran completely, as well as the reboot. Attached is the log.
I've been checking several things. The dllhost.exe*32 COM surrogate is not replicating or running anymore. However, I am getting the same error message when trying to download some attachments or, for example, a virus cleaner such as Malwarebytes. The message says, "Your security settings do not allow this file to be downloaded." I hadn't gotten that message before, so I attributed that to the virus. It doesn't give me any option to change a setting or go ahead with the download, just close the window. I am currently using Microsoft security essentials. Is that a common message with that virus protection? I had to switch from McAfee a couple weeks ago when the subscription expired.
Thanks.
Thanks.
The virus must have reset settings in IE 11. I re-ran Malwarbytes and SuperAntiSpyware and all was clean. I uninstalled IE 11 and reinstalled, with same results. I then changed Custom Level setting for Downloads in Internet Options settings for IE 11 and I can get downloads. I didn't manually change this initially, so some virus may have changed some IE settings prior to all the cleaning. Thank you so much for eliminating the dllhost.exe*32 COM Surrogate virus. That's a nasty and prolific one apparently. Thanks much!!
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
Cheers!
=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
Cheers!
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
==============================
Scan with Combofix:
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Code:
Start
C:\Users\Teresa2\AppData\Roaming\麽鎒駓覜
EndNOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
==============================
Scan with Combofix:
- Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.
- Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.
- Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
- When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )
Earlier, when I first logged onto my email, a popup with a survey came up, without me opening an email. I just checked off junk mail and deleted them, and the popup disappeared. That didn't happen normally until after this virus started. When I checked the task manager just now, I believe there was a dllhost.exe*32 COM Surrogate which quickly disappeared, but now I just got a pop-up[ window that is (supposedly) from McAfee and it says" Trojan Detected, Artemis!F551627600A8 Quarantined From: C:\Users\Teresa2\Desktop\ComboFix.exe McAfee detected an infected file on you PC. Restart your PC so we can fix it."
Should I restart the PC?
Should I restart the PC?
Last edited:
False positive, Combofix considered to be a threat
It is necessary to uninstall ComboFix :
- Click Start (or ) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
Note that there is a space between " ComboFix " and " /Uninstall " .Code:ComboFix /Uninstall
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
You may also like...
-
X Warns Users With Security Keys to Re-Enroll Before November 10 to Avoid Lockouts- Started by Brownie2019
- Replies: 6
-
Help with Samsung phone infected by a fake scanner app
- Started by Pirate pete
- Replies: 1
-
-
Trust Wallet says 2596 wallets drained in $7 million crypto theft attack- Started by enaph
- Replies: 1
-