It got me too, dllhost.exe com surrogate help needed please

[SFnew]

Hello, any help would be greatly appreciated.

Logs are attached. Thanks.

 

[SFnew]

bump

 

[SFnew]

bump

 

[argus]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
CustomCLSID: HKU\S-1-5-21-3982674863-3394640220-3061210404-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
Task: {8A33A367-144B-4AA8-9E53-949F43B8E733} - System32\Tasks\{ADE3AE3C-4120-FFD1-F498-F0AD5FD7842D} => C:\Users\Scott\AppData\Roaming\bnlct.dll [2014-10-28] () <==== ATTENTION
Task: {B32F1978-2D02-4247-B25B-85DE5B4587FB} - System32\Tasks\DSite => C:\Users\Scott\AppData\Roaming\DSite\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
HKU\S-1-5-21-3982674863-3394640220-3061210404-1001\...\Run: [BOOTdtsh] => C:\Users\Scott\AppData\Local\Temp\cmdir_35.exe [286750 2014-11-02] (bhyvgtcfrd) <===== ATTENTION
C:\Users\Scott\AppData\Local\Temp\cmdir_35.exe
HKU\S-1-5-21-3982674863-3394640220-3061210404-1001\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x00000000
HKU\S-1-5-21-3982674863-3394640220-3061210404-1001\...\MountPoints2: {9655c5ce-c3d6-11e3-b3d7-d4bed9d13827} - G:\VZW_Software_upgrade_assistant_installer.exe
HKU\S-1-5-21-3982674863-3394640220-3061210404-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
C:\ProgramData\Windows Genuine Advantage
C:\Users\Scott\AppData\Roaming\bnlct.dll
C:\Windows\System32\Tasks\{ADE3AE3C-4120-FFD1-F498-F0AD5FD7842D}
C:\Users\Scott\AppData\Roaming\krskxsy.dll15
C:\Users\Scott\AppData\Local\Temp\cmdir_35.exe
EmptyTemp:
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

 

[SFnew]

Hi argus,

Thanks for your help. Here is the fixlog.

 

[argus]

How is the situation now?

 

[SFnew]

Task Mgr showed just 2 instances of dllhost.exe COM Surrogate and I ended one, the other disappeared I think. Doesn't appear to popping up at the moment.

Still many instances of svchost.exe. Prior to the fix there were some instances with me as the user. Now none have me as the user, only SYSTEM, LOCAL, and NETWORK.

System resources seem normal now, without all the hard drive reading like before.

I'm not done yet though...right?

 

[argus]

Scan with Combofix:

• Please download ComboFix by sUBs and save it to your Desktop.
  You may read how Combofix works here.
  
• Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
  If you are unsure how to do this please read this or this Instruction.
  
• Run ComboFix. Click on I Agree! & follow the prompts.
  Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
  
• When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
  (typical log location: C:\ComboFix.txt )

 

[SFnew]

Also, in my initial specs listed at top, I mistakenly said 32-bit OS when I know now it's 64-bit.

But, you probably already figured that out I'll bet...

 

[argus]

Combofix runs on both systems.

 

[SFnew]

I disabled MSE and clicked your link to combofix. pop-up says security setting won't allow downloads.

 

[argus]

Yes.

 

[SFnew]

Yes.

Pardon?

I had this happen yesterday, unable to do downloads. After another MalwareBytes scan last night that found and removed 10 threats, mostly Trojans, I was able to download. My Firefox install had been damaged by a system restore attempt so I was finally able to download it last night, but haven't installed yet. Should I install Firefox and try to download with Firefox?

 

[argus]

yes, definitely install Firefox

I think the system is clean, but I'll check again.

The COM Surrogate is a fancy name for sacrificial process for a COM object that is run outside of the process that requested it. Explorer uses the COM Surrogate when extracting thumbnails, for example. If you go to a folder with thumbnails enabled, Explorer will fire off a COM Surrogate and use it to compute the thumbnails for the documents in the folder. It does this because Explorer has learned not to trust thumbnail extractors; they have a poor track record for stability.



Explorer has decided to absorb the performance penalty in exchange for the improved reliability resulting in moving these dodgy bits of code out of the main Explorer process. When the thumbnail extractor crashes, the crash destroys the COM Surrogate process instead of Explorer.

 

[SFnew]

Downloaded combofix with Firefox, installing now.

 

[SFnew]

Here's the combofix log.

 

[argus]

Please download MCShield from one of the following links:

MCShield -Official download link

• Double click on MCShield-Setup to install the application.
  Next => I Agree => Next => Install ... per installation click on Run! button.
• Wait a few seconds to MCShield finish initial HDD scan...
• Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
• When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt


Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

 

[SFnew]

Still can't download with IE. I got MCShield using Firefox.

Here is the log.

 

[argus]

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.

• Under Additional options check the boxes next to:
  - Verify Driver Digital Signature;
  - Detect TDLFS file system
  - Use KSN to scan objects
• Press Start Scan
• If Suspicious object is detected, the default action will be Skip, click on Continue.
• If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

 

[SFnew]

Ok, got that done; log attached.