I noticed multiple instances of dllhost.exe *32 COM Surrogate as well as one instance of dllhost.ext COM Surrogate in Task Manager. I can end the processes, but they always return. Attached are the requested logs. I appreciate any help.
dllhost.exe *32 COM Surrogate
- Thread starter hotpepper78
- Start date
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Scan with Combofix:
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Code:
CloseProcesses:
HKU\S-1-5-21-2851400961-1936424154-3891487375-1001\...\MountPoints2: {1d76d900-8274-11e0-ab03-d48564163607} - M:\LaunchU3.exe -a
HKU\S-1-5-21-2851400961-1936424154-3891487375-1001\...\MountPoints2: {b461af6c-9ac8-11e2-b15a-6805ca0aba78} - M:\setup.exe -a
HKU\S-1-5-21-2851400961-1936424154-3891487375-1001\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-2851400961-1936424154-3891487375-1001\$a9c2676f7d24b3810fd6612be08184a6\n. ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-2851400961-1936424154-3891487375-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
SearchScopes: HKLM-x32 - {41258EF5-C37C-4C55-9888-694F312D71A9} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {41258EF5-C37C-4C55-9888-694F312D71A9} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
U3 aswMBR; \??\C:\Users\Gabriel\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\Gabriel\AppData\Local\Temp\aswVmm.sys [X]
C:\$Recycle.Bin\S-1-5-21-2851400961-1936424154-3891487375-1001\$a9c2676f7d24b3810fd6612be08184a6
EmptyTemp:NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Scan with Combofix:
- Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.
- Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.
- Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
- When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )
The CPU is running at normal % and the fan is not running. But when I open Task Manager, I see an instance of dllhost.exe COM Surrogate. It isn't using any of the CPU and by the time I click on it to End Process, it goes away. This happens when I restart the system and initially open Task Manager. I do not see it after it's initial appearance (re-opening Task Manager). Any ideas?
Please download Zoek tool by Smeenk (
) from here and save it to your Desktop.
[Unpack the archive...
[Unpack the archive...
- Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
If you are unsure how to do this please read this or this Instruction.
- Double click on zoek.exe to run the tool. Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
Code:createsrpoint; emptyfolderscheck;delete autoclean; emptyclsid; emptyalltemp; ipconfig /flushdns;b
- Click on button.
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
argus: Thank you for all of your help thus far. I am attaching the requested log. I opened Task Manager a few more times and saw "dllhost.exe COM Surrogate" however, I do not see "dllhost *32 COM Surrogate." I can usually get it to display in Task Manager as soon as I open Internet Explorer. It does not stay in Task Manager very long (few seconds). Is it possible that this is a normal process (as opposed to dllhost.exe *32)? I also ran FRST again (log attached) after I ran Zoek. If you search the FRST log, it shows two instances of dllhost.exe. Here is an excerpt from the FRST log:
S3 COMSysApp; C:\Windows\system32\dllhost.exe [9728 2009-07-13] (Microsoft Corporation)
S3 COMSysApp; C:\Windows\SysWOW64\dllhost.exe [7168 2009-07-13] (Microsoft Corporation)
S3 COMSysApp; C:\Windows\system32\dllhost.exe [9728 2009-07-13] (Microsoft Corporation)
S3 COMSysApp; C:\Windows\SysWOW64\dllhost.exe [7168 2009-07-13] (Microsoft Corporation)
Code:
S3 COMSysApp; C:\Windows\system32\dllhost.exe [9728 2009-07-13] (Microsoft Corporation)
S3 COMSysApp; C:\Windows\SysWOW64\dllhost.exe [7168 2009-07-13] (Microsoft Corporation)This is legitimate.
How's your computer behaving now?
Last edited:
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
Thanks
=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
Thanks
You may also like...
-
Windows 11 24H2/25H2 Flaw Keeps Task Manager Running After You Close It- Started by Brownie2019
- Replies: 5
-
Trust Wallet says 2596 wallets drained in $7 million crypto theft attack- Started by enaph
- Replies: 1
-
FBI: Free file converter sites and tools deliver malware- Started by Gandalf_The_Grey
- Replies: 20
-
-
