Yet another dllhost.exe *32, COM Surrogate infection

[Scott Fulmar]

10/28/2014 - Noticed first warning from Norton that an intrusion attempt was blocked. After this, they quickly became a regular occurrence, happening anywhere from every few hours to every few minutes. Offenders include "f0fff0," "fffSee," and various basic IP addresses.

After I did some Google searching, I found other people with the same problem who mentioned system slow-down and multiple instances of dllhost.exe *32 processes (Description: COM Surrogate) running simultaneously, so I checked my processes and found that the same thing was happening to me. At any given time I have anywhere from 5 to 20 instances of dllhost.exe *32 running and an abnormal amount of system RAM and (sometimes) CPU usage (I'm not sure what the typical amount of RAM usage is for my system because I never looked before this, but I know it can't be 5 to 13 GB like it is now).

Also, I don't know if it's related in any way, but my Norton security history also shows an ungodly amount of "Unauthorized access blocked (Open File)," going back as far as 7/7/2014. When a batch of these starts, they happen every couple of seconds and last various lengths of time.

By the way, the link here that was supposed to take me to a page with links for FRST, AdwCleaner, and aswMBR only had a link to FRST. That's why I didn't include scan uploads from the other two tools.

And be gentle with me, this stuff is all very new to me. I apologize in advance if I've broken any protocols in the creation or content of this thread.

 

[argus]

Hello,


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

CloseProcesses:
CustomCLSID: HKU\S-1-5-21-1694738286-2817436500-2895535820-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
HKU\S-1-5-21-1694738286-2817436500-2895535820-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
S3 DAUpdaterSvc; C:\Program Files (x86)\Steam\steamapps\common\Dragon Age Origins\bin_ship\DAUpdaterSvc.Service.exe [X]
R3 WinHttpAutoProxySvc; winhttp.dll [X]
C:\Windows\system32\perfh00A.dat
C:\Windows\system32\perfh013.dat
C:\Windows\system32\perfh015.dat
C:\Windows\system32\prfh0816.dat
C:\Windows\system32\perfh019.dat
C:\Windows\system32\prfh0416.dat
C:\Windows\system32\perfh00E.dat
C:\Windows\system32\perfh005.dat
C:\Windows\system32\perfh01D.dat
C:\Windows\system32\perfh01F.dat
C:\Windows\system32\perfh008.dat
C:\Windows\system32\perfh006.dat
C:\Windows\system32\perfh014.dat
C:\Windows\system32\perfh00B.dat
C:\Windows\system32\perfh012.dat
C:\Windows\system32\perfh011.dat
C:\Windows\system32\prfh0404.dat
C:\Windows\system32\prfh0804.dat
C:\Windows\system32\perfc00E.dat
C:\Windows\system32\perfc00A.dat
C:\Windows\system32\perfc015.dat
C:\Windows\system32\perfc013.dat
C:\Windows\system32\perfc019.dat
C:\Windows\system32\prfc0816.dat
C:\Windows\system32\prfc0416.dat
C:\Windows\system32\perfc005.dat
C:\Windows\system32\perfc01D.dat
C:\Windows\system32\perfc01F.dat
C:\Windows\system32\perfc011.dat
C:\Windows\system32\perfc008.dat
C:\Windows\system32\perfc012.dat
C:\Windows\system32\prfc0804.dat
C:\Windows\system32\prfc0404.dat
C:\Windows\system32\perfc00B.dat
C:\Windows\system32\perfc006.dat
C:\Windows\system32\perfc014.dat
C:\Windows\system32\perfh00D.dat
C:\Windows\system32\perfc00D.dat
C:\Windows\system32\perfh010.dat
C:\Windows\system32\perfc010.dat
C:\Windows\system32\perfh00C.dat
C:\Windows\system32\perfh001.dat
C:\Windows\system32\perfc00C.dat
C:\Windows\system32\perfc001.dat
C:\Windows\system32\perfh007.dat
C:\Windows\system32\perfc007.dat
C:\Users\Scott\drm_dyndata_7380014.dll
EmptyTemp:
CMD: bitsadmin /reset /allusers

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

 

[Scott Fulmar]

Okay, all went well. I've attached the Fixlog.txt file.

 

[Scott Fulmar]

There was one other thing I forgot to mention, which also may not be related. About the same day that the blocked intrusion / dllhost.exe *32 problem started, something else began happening on a regular basis, something I've never seen before. At about, oh, 10% of the webpages I visit (doesn't seem to matter what website it is), a window pops up with the following:

"Do you want to debug this webpage?
This webpage contains errors that might prevent it from displaying or working correctly. If you are not testing this webpage, click no."

Beneath that are two checkboxes:
"Do not show this message again"
"Use the built-in script debugger in Internet Explorer" (this box is always already checked and greyed out)

Beneath that are a "Yes" and a "No" button. I believe the Yes button is always greyed out.

Beneath that is a message box with text, different each time. For example:
"Line: 542
Error: Access is denied"

Checking the "Do not show this message again" box doesn't keep the window from popping up again a few web pages later.

As I said, it may have nothing to do with the primary problem, but it seems like a strange coincidence that it started happening the same day.

 

[argus]

Scan with Combofix:

• Please download ComboFix by sUBs and save it to your Desktop.
  You may read how Combofix works here.
  
• Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
  If you are unsure how to do this please read this or this Instruction.
  
• Run ComboFix. Click on I Agree! & follow the prompts.
  Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
  
• When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
  (typical log location: C:\ComboFix.txt )

 

[Scott Fulmar]

Ran without problems, ComboFix.txt file attached.

 

[argus]

Open notepad and copy/paste the text present inside the code box below:

File::
c:\windows\system32\gjojkdy.dll
c:\windows\SysWow64\hjuinv.dll
c:\windows\system32\fpvnf.dll

ClearJavaCache::

Save this as CFScript.txt

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

 

[Scott Fulmar]

Here you go.

 

[argus]

Is everything ok now?

 

[Scott Fulmar]

I believe so--there haven't been any more intrusion attempts or dllhost.exe *32 processes. And there haven't been any more clusters of "Unauthorized access blocked" messages in Norton since the last couple of procedures you walked me through, but those occurrences are sometimes separated by days or even weeks, so I'm not sure if those are fixed. Finally, I just navigated through a couple of hundred different webpages to test for the "debug this webpage" message--it did pop up once, but that's way better than one-in-ten pages like it was before.

Many, many thanks! You're a miracle worker. I'm about to donate enough for you to have more than a few beers, so get good and drunk.

 

[argus]

Hahaha thank you


• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;

Remove disinfection tools

Create registry backup

Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

 

[Scott Fulmar]

Done. Thanks again!