Operating System
Windows 7
Infection date and initial symptoms
11/1/2014 - PC running extremely slow, task manager shows websites that I never opened
Current issues and symptoms
PC is slow. Malwarebytes keeps poping warning messages about sites being blocked.
Steps taken in order to remove the infection
Ran Malwarebytes and Symantec Antivirus.

yahooguy77

New Member
Hello,

My PC is infected with fff5ee.com and dllhost.exe*32 COM surrogate malware/virus. I installed Malwarebytes and it found some Trojan that was successfully deleted. However, I am now getting pop ups every 10-15 seconds says fff5ee.com was blocked along with dllhost.exe.

I would really appreciate any help.

Thanks !
 

Attachments

argus

Former MalwareTips Staff
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Code:
Start
CustomCLSID: HKU\S-1-5-21-2406282370-3556897769-3748389781-1002_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
Task: {24B7B9AD-90BE-4E10-B9D1-8D4076B9DFED} - System32\Tasks\{DE903FDF-DFED-B39E-9CEB-3C7B3ACF476F} => C:\Users\Rajat\AppData\Roaming\rhjozbp.dll [2014-10-28] () <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKU\S-1-5-21-2406282370-3556897769-3748389781-1002\...\MountPoints2: {eac888c3-7e9f-11e3-95ae-00059a3c7a00} - D:\MotorolaDeviceManagerSetup.exe -a
HKU\S-1-5-21-2406282370-3556897769-3748389781-1002\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\ppGoogleNaClPluginChrome.dll No File
C:\ProgramData\@system.temp
C:\ProgramData\@system3.att
C:\Users\Rajat\AppData\Roaming\FrameworkUpdate7
C:\Users\Rajat\AppData\Roaming\麽鎒駓覜
C:\Users\Rajat\AppData\Roaming\rhjozbp.dll
C:\Windows\System32\Tasks\{DE903FDF-DFED-B39E-9CEB-3C7B3ACF476F}
C:\Users\Rajat\AppData\Roaming\anisc.dll
C:\ProgramData\Windows Genuine Advantage
C:\Users\Rajat\gotomypc_626.exe
EmptyTemp:
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
 

yahooguy77

New Member
Hi there,

I followed the instruction as you suggested and saved the fixlist.txt on my desktop. I ran the FRST64 and press the Fix button. Attached is the Fixlog.txt. I started this process around 9am in the morning and left my laptop running. When I came back home and checked 4 hours later (around 1pm) my PC was automatically restarted. It prompted me to run FRST64 again and as soon as I selected yes it said the process completed and generated the fixlog.txt file.

I started the task manager and it still showed COM SURROGATE running under processes. While typing this email I checked a couple of times again and it showed the COM SURROGATE process once but it doesn't appear anymore. Also, my Malwarebytes doesn't show the fff5ee.com and dllhost.exe popup messages anymore.

How do I know if this has been successfully removed from my system as I saw the COM SURROGATE running under the processes a couple of times even though FRST64 said that the process was completed? I have looked 3 more times now and it doesn't appear.

Many thanks for your help and look forward to your response.
 

Attachments

yahooguy77

New Member
wow - I also noticed that my hard drive had ~2.5 GB free space left for the last 2 weeks or so. After running this tool it now shows 15.9 GB free space which makes me think that the virus must have been on my computer for a while.
 

argus

Former MalwareTips Staff
EmptyTemp: => Removed 13.6 GB temporary data.



The system is clean


The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore

Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.



Greeting.
 

yahooguy77

New Member
I ran Delfix and it removed the files I downloaded earlier. I checked the task manager and didn't find any instances of COM SURROGATE. Also MalwareBytes doesn't report any pop ups either.

Looks like the issue has been resolved. I can't thank you enough !
 

Cynthia

New Member
I am having the exact problem. What do information of my computer is needed in order to get this fixed before my system crashes. TIA
 

argus

Former MalwareTips Staff
@Cynthia



Helllo,

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



============================================





Download
Malwarebytes Anti-Rootkit to your desktop.
  • Double-click the icon to start the tool.
  • It will ask you where to extract it, then it will start.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"








Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.