Runaway COM Surrogate (32 bit)/dllhost.ex

[LiquidTension]

Hello,

I answered your first Windows Updates question in my previous post.

I have Updates to download only. I like to review the list of Updates before installing. There have been cases where an Update has rendered a machine unbootable, so I would rather check first.

If you set Updates to download and install, you will be prompted to reboot within 24 hours, otherwise your machine will reboot itself.

[AnotherNewVictim]

I'm sorry I missed your original reply. I think I saw it as part of your signature and missed it. Thanks for the additional information about Auto-Update. I like to see/know what I'm applying, but I have to not let them pile up.

One more question about updates, if you don't mind - Does MS only offer updates for what is installed on my system, or offer everything available for my OS, regardless of whether I have/use the programs or not?

[LiquidTension]

Microsoft only provides Updates for MS software. Windows Operating System, IE, IE Flash Player (Adobe Flash Player incorporated into IE for Windows 8), MS Office, etc.

Third-party software is not affiliated with MS or Windows Updates.

If you are referring to MS software, the updates you receive will be relevant for your OS and the software you have installed.

For example, a Windows 8 user without MS Office installed will not receive Windows Vista updates or MS Office updates.

[AnotherNewVictim]

Update:

I finished copying my files, unplugged the new drive and tried the EXPENSIVE decryption program. I have many Terabytes of TV recordings (via a Hauppauge unit) on other USB hard drives. Luckily, I chose to record in the TS format, so those files did not get encrypted. Interspersed between them, however, I have a few MP4 files that did get encrypted on each drive. I had pulled out my Ethernet cable and all USB storage before kicking off the program.

Of course, the first files it tried to decrypt were encrypted on my (currently detached) USB drives. The program pops up a message asking if you want to (attach the device) and Retry or Skip that file. I then noticed an option to browse and select a folder (includes those subordinate to it) and tried that. It seems to be doing what it is supposed to do. It is re-startable when I shut it down. It is VERY slow. Apparently, it is much faster to ruin a file than it is to recover it. The files come back with original names and create date/time intact. Modified date shows the current one, so if you know the encryption date range, you can tell at a glance whether or not each file has been decrypted or not.

I have verified successful decryption of the following file types:

.txt

.doc

.xls

.jpg

I just remembered that the encryption had run against my Outlook file, too, so that is the next file I will try to recover. If you think it would be helpful, I plan to write up a detailed summary of my experience once I get my machine back. If anyone is suffering and has any. Immediate questions, I will be checking back here, but my main concern now is getting my files recovered.

A friend sent me an interesting article indicating that a group of good guys is able to decrypt (for free) files decrypted by the predecessor, CryptoLocker (not CryptoWall). The article has a link to a portal where one can enter one's e-mail address, upload an encrypted file and they will attempt to decrypt it and e-mail it back to you. I tried the sample xls file that I provided to the ransomware thieves as a test file, but it returned a message to the effect of "this file does not appear to have been encrypted by CryptoLocker."

I will touch base with them soon regarding CryptoWall.

http://www.bbc.com/news/technology-28661463

Current questions:

The zip (scary) that I downloaded from them includes both an exe (scary) and a file labelled "secret.key". I opened up the key using notepad and it appears to be what I was expecting. Is it possible for me to use that (without the exe) on my external hard drives and, later, on any files I may have missed with the decryption program?

Once I've got my machine recreated, cleaned, updated and safe, is having MCShield running going to be enough to protect my pc once I start reattaching my various USB disk/thumb drives to my pristine machine. Of course I mean with Avast and MWAM up, updated and running. I ran MCShield and it said that it had renamed a suspicious autorun.inf file on my new backup drive. How can I best keep my "new" machine protected from anything loaded onto these devices while they were connected to my "old" machine?

Should I attach them all and rescan with MCShield before I reformat?

Is there a special procedure for reconnecting them?

[LiquidTension]

BleepingComputer is probably the best place to share experiences with ransomware. The site was one of the first to report Cryptolocker, and has detailed articles and discussion topics on all types of file-encrypting ransomware. 

 

Is it possible for me to use that (without the exe) on my external hard drives and, later, on any files I may have missed with the decryption program?

I don't know. This is the sort of question best asked in the BC discussion topic I linked earlier. 
 

Once I've got my machine recreated, cleaned, updated and safe, is having MCShield running going to be enough to protect my pc once I start reattaching my various USB disk/thumb drives to my pristine machine.

To take additional precuations have a look at installing Sandboxie. You'll be able to open your USB drive in an isolated environment. No data can be written to your HDD unless you specifically allow it. 
 

Is there a special procedure for reconnecting them?

There's no special procedure as such, but you may wish to do the following.

• Install and run Panda USB Vaccine after reformatting. This will vaccinate your machine against autorun infections. 
• Install MCShield and Sandboxie. 
• Hold shift and insert your USB drive. 
• Run a scan with MCShield, avast! and MBAM, ensuring you select the option to scan external drives. 
• Open the USB drive in Sandboxie, and hand-pick each file to move onto your HDD. 

[AnotherNewVictim]

Thanks (again)!

What is the effect of holding down the shift when I plug in a USB device?

[AnotherNewVictim]

It appears that decryption time increases with file size. That seems to imply that all bytes in the file are encrypted, not just some "header section". Does that sound like something I should expect?

[LiquidTension]

Holding shift prevents execution of files when the device is attached. It's not particularly relevant for Windows 8, but good practice nevertheless.

No, I don't think so. But it isn't uncommon for this process to take a long time.

[AnotherNewVictim]

Hi, Adam!

I got to a point where I had all my files decrypted and then copied off to my backup drive. I went into Dell Backup and Recovery to select the factory image. The strange thing is that the ONLY choice of image said "Factory Image - 8/13/2013 2:24:00 Local Time. I bought this PC in December of 2012. How could the Factory Image be dated 8 months after purchase? Is this something known to be targeted by viruses/malware?

I'm going to get some sleep now and hope you might have an explanation or suggestion before I continue.

Thanks!

Tom

[LiquidTension]

Hi Tom, 

 

What is the make and model of the machine? 

[AnotherNewVictim]

Dell XPS.

I just noticed that the tag with the Service Tag and Express Service Code indicates that the Manufacturing Date was 11/08/2012. Is there any legitimate reason why the only Factory Image wouldn't be the same date, or one that precedes it?

[AnotherNewVictim]

XPS 8500

[LiquidTension]

Hi Tom,

Thanks for the information, and your continued patience.

I will get back to you as soon as possible.

[LiquidTension]

Hello Tom, 

 

Did you run recimg.exe to generate a new refresh image at the date and time listed?

http://blogs.msdn.com/b/matt-harrington/archive/2012/04/01/create-a-windows-8-refresh-image-with-recimg-exe.aspx

 

If not, is System Restore monitoring the Recovery Partition, and did you perform a System Restore on that date?

 

Did you reinstall on 8/13/2013 2:24:00?

[LiquidTension]

Hello,

Do you still require assistance?

[AnotherNewVictim]

Hello Tom, 

 

Did you run recimg.exe to generate a new refresh image at the date and time listed?

http://blogs.msdn.com/b/matt-harrington/archive/2012/04/01/create-a-windows-8-refresh-image-with-recimg-exe.aspx

 

If not, is System Restore monitoring the Recovery Partition, and did you perform a System Restore on that date?

 

Did you reinstall on 8/13/2013 2:24:00?

No, No and No.  It was also the ONLY image in the Recovery Partition and was labeled "Factory Image," which I know is not true.

 

Catching up:

 

I spoke to Dell Support on Sunday.  The tech I spoke to helped me restore the "factory image" and then ran tons of diagnostics and scans against it to be sure it was virus and malware free.  I wanted to go back and start over from scratch, but this was the path he indicated would be faster and equally safe.  I went with his recommendations and got my machine working again.  Each scan I did with System Mechanic antivirus and Malwarebytes came up clean.  I did the port scan available at GRC and that showed no open ports.  For the next few days, it worked pretty well, but was sometimes slow coming up or shutting down.  It was behaving really hinkily on Wednesday, so I contacted Dell again to see about a fresh start, as no one has any idea what was on my 8/13/13 starting point.  The guy had me do the pre-load (?!?) diagnostics (available via F12 during boot-up) and we received an error message regarding the hard drive.

 

I purchased a new hard drive and plan to install it as my primary once I receive the OS disk from Dell.  They are sending that, along with another disk containing drivers and <something else>.  Once my OS is installed and stable, I will load and update antivirus, malware and Windows updates.

 

Do you want me to update this later, or do you want to close it, as the immediate malware/virus threats are now gone?

 

I want to mention one thing that I couldn't find on the web when I needed it.  While running the CyberWall decrypter.exe, it will hang once in a while.  Mine did on my Outlook file, so no one had any idea about how far along it was.  Once I finally stopped the program, I found that it had hung on a final step and had actually completed decrypting the file.  Typically, this program creates a copy (at 0 bytes) of the file being decrypted.  Once it finishes, the 0 byte file disappears and your original file is decrypted and has a new modified date.  If the program seems to be hanging and the copy file shows a size of 500 bytes, the program will hang there indefinitely.  I ended mine (processing different files) at least 3 times (including Outlook) and it decrypted successfully each time, but left the work file out there once I stopped the process.

 

Thank you for all your help with this issue, Adam!  I'm really glad there are people like you around helping people fight these thieves.

[LiquidTension]

Hi Tom,
 

The tech I spoke to helped me restore the "factory image"

OK, good.
 

Each scan I did with System Mechanic antivirus

System Mechanic is not an Anti-Virus. It is an optimization/registry cleaner, and may cause damage to your Operating System. 
 

Registry Cleaner Warning
 
------------------------------
 
There are numerous programmes which purport to improve system performance, make repairs and tune up a computer. Many of them include such features as a registry cleaner, registry optimizer, disk optimizer, etc. Some of these programmes even incorporate optimization and registry cleaning features alongside anti-malware capabilities. These registry cleaners and optimizers claim to speed up your computer by finding and removing orphaned and corrupt registry entries that are responsible for slowing down system performance. There is no statistical evidence to back such claims. Advertisements to do so are borderline scams intended to goad users into using an unnecessary and potential dangerous product.
 
Please refer to the following article on why you should not use registry cleaner software.

 

I purchased a new hard drive and plan to install it as my primary once I receive the OS disk from Dell.  They are sending that, along with another disk containing drivers and <something else>.  Once my OS is installed and stable, I will load and update antivirus, malware and Windows updates.

Sounds good!
 

Do you want me to update this later, or do you want to close it, as the immediate malware/virus threats are now gone?

I think we should be good to finish up, unless you have any additional questions.
 
---------------------- 

My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. 
 
Below I have compiled a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

• Answers to common security questions - Best Practices by quietman7, MVP
• How Malware Spreads - How did I get infected? by quietman7, MVP
• Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
• How to Prevent Malware by miekiemoes, MVP
• How to backup and restore your data using Cobian Backup by YourHighness
• Slow Computer/browser? It May Not Be Malware by quietman7, MVP
   

The following programmes come highly recommended in the security community.

•  AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
•  Emsisoft Antimalware (free) acts as an additional on-demand scanner, and can be used in conjunction with your Anti-Virus. 
•  Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
•  Malwarebytes Anti-Malware Premium (MBAM) incorporates real-time protection and is designed to run alongside your Anti-Virus. 
•  NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology. 
•  Sandboxie isolates programmes of your choice, preventing files from writing to your HDD unless you approve the file. 
•  Secuina PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
•  SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
•  Web of Trust (WOT) is a browser add-on designed to alert the user before interacting with a potentially malicious website. 

-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
 
======================================================
 
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread. 
 
Thank you for using Malwarebytes.
 
Safe Surfing.  
Adam (LiquidTension).

[AnotherNewVictim]

Hi, Adam!

 

I see that I mis-phrased when I said System Mechanic antivirus.  I should have made it clear that I meant the antivirus component of System Mechanic.  The version I have, System Mechanic 12 Pro, does include antivirus, antispyware and antimalware components.

 

I went with System Mechanic when the technician I was working with heard that I had a license.  He stated it was a good product (completely unrelated to his comment that it was developed as a joint product between Iolo and Dell, I'm sure).  I know that it definitely got my pc running better when I first bought it (SM).  I will read over the article you linked to and decide whether or not to abandon it and use Avast instead.

 

I will also review all the other links you've so thoughtfully provided.  I want to be sure I have (and keep) my machine as well-protected as possible.

 

I'm not happy with my pc yet, but I'm very happy about the direction it's going.  I may not receive the OS disk from Dell until Monday, so I may not be able to rebuild until then.

 

I will check back once I've finished it and leave a comment indicating so if the thread is still open then.

 

 

Thank you so much for all your help in this time of crisis!

 

Tom

[LiquidTension]

OK, sounds good Tom. 

I'll leave this topic open for the time being, and will wait to hear how you've gotten on. 

[LiquidTension]

Hi Tom, 

 

Just checking in to see how you're doing?

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!