High Memory Usage - COM Surrogate; Internet Explorer; Debug This Page

[mark1976]

Hi,

 

Newbie here to anti-virus and malware that won't go away/doesn't have an update or scan that removes it.   I have used a Windows PC for about 15 years now and have had occasional issues but been able to solve them using postings that have been from reliable sources.   Yesterday I started getting CPU Usage Pop Ups (I use Norton for anti-virus; it came with the laptop otherwise would probably use Avast; laptop is an HP Pro Book 6406b; 32 bit; Windows 7 Professional; Intel i5-2520M; 2.50 GHz - sorry for all the data but not sure what you will need).

 

The pop ups indicates high memory usage by COM Surrogate; another pop up said it was high memory usage by Internet Explorer; another said dllhost.exe; and another high processes for windows services.   I have also been getting pop ups asking me if I want to debug whatever web page I am on (I have always answered No).   (The CPU usage box requires no action when it pops up, just needs to be closed, its a Norton prompt.)    I have also gotten a Norton message today that it blocked a Trojan attempt on three or four occasions from 195.2.240.80.   I don't know what that sites is - Norton labeled the attempts "high" and indicates it blocked them.    Norton also says it blocked an effort from 192.168.1.1 but labeled that "info" - this one happened about 15 times today according to Norton's history log.

 

I have run Norton Full System Scan (takes an hour) and it found 16 "low risk" (per Norton) cookies however I always dump my explorer history before I run the scan and did so this time too, which means the cookies should have all been gone but were not this time.   15 minutes after the full scan ended, I ran it again, having had limited (if any) internet usage and it found another 14, also seen as "low risk" by Norton.   Whatever this is seems to replicate.

 

In Googling this topic, the solutions seem unique to each user and more than one site said to use a malware forum and speak with an expert.   So here I am.   However frustrating this is on my end, I want to say "thanks" in advance to whomever will be assisting me.   I have a feeling this is not a "paying position" for you so I really appreciate the time you are taking to help.  fyi; as I was typing just now, I just received a COM Surrogate pop up from Norton that it was using a ton of my memory.

 

Thanks again.

 

Mark

 

[TwinHeadedEagle]

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll be working with you.
 
     
    
Before we start please read and note the following:

• Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
• Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
• Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
• Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
• Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
• Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
• Note that we may live in totally different time zones, what may cause some delays between answers.
• Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

I can't foresee everything, so if anything unexpected happens, please stop and inform me!
There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
  Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 
 
 

Please download Farbar Recovery Scan Tool and save it to your desktop.
 
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[mark1976]

TwinHeadedEagle,

 

First, thanks for helping.  I have tried for about 30 minutes to download Farbar but I keep getting a message that it cannot download because IE is closing.    I've gotten as far as 10% when it closes explorer.   One message said Powershell failure.   I have been able to get it to download to 100% if I click "run" instead of "Save" (I was going to then save it) but just as it finishes, it then also closes explorer - so that too does not work.

 

Mike

[mark1976]

TwinHeadedEagle,

 

In case it helps, I tried downloading a file I know is safe and it gets to 100% and then the same message pops up "Internet Explorer Has Stopped Working".   It comes up at the exact same time - immediately after reaching 100% on the download .   My computer then restarts explorer but at the stage where I have to choose "download" again and when I try again, the same result occurs.

 

Hope this information is helpful.....

 

Mike

[TwinHeadedEagle]

Yes, it appears that this malware blocks downloads through Internet Explorer. Can you transfer FRST from other PC?

[mark1976]

thanks for above guidance.   I downloaded Farbar onto a flash drive using another computer as you advised, then onto the infected laptop.   Just ran it and here are the results (btw, in this process the dllhost.exe has stopped but Norton continues to block Trojan attempts).

 

 

 

FRST.txt

Addition.txt

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.




Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam and select update.
• Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
• Click the Scan tab, choose Threat Scan is checked and click Scan Now.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

fixlist.txt

[mark1976]

Apologies but I cannot get the first file (fixlist.txt).   I looked on both the infected computer and a clean one and neither sees the file.   When I click on the icon, it goes to sites.google.com but the screen is blank except for the icon appearing again.   Can you re-send the fixlist.txt file?   Thanks for the help.

[TwinHeadedEagle]

Sorry, try again.

[mark1976]

Thanks for the continued help - here are the logs.  

 

As I attached the logs to the forum post, I received the "debug this webpage" pop up - so that is still occurring.  

 

Also, Malwarebytes did not require a reboot when the scan was done (did not detect threats) however during the entire malwarebytes scan, I received a bunch of malwarebytes "Malicious Website Blocked" pop ups.  Each time, the pop up said the following:    IP:  88.214.193.54.    Port:  this changed each time.  Process:  C:\Windows\System32\svchost.exe.   Type: Outbound.  

 

Each time the Malwarebytes pop came up, it said that the malicious website was blocked.

Fixlog.txt

log.txt

[TwinHeadedEagle]

Let's run one more tool:
 
 
 
Scan with ComboFix
 
This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!
 
Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
• Accept the disclaimer and agree if prompted to install Recovery Console.
• Do not take any actions while ComboFix goes through your System - it may cause it to stall!
• This scan may take some time!
• When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

[mark1976]

Should also mention that I clicked "block website" on the Malwarebytes pop up and that seems to have caused the malicious site to stop.

[TwinHeadedEagle]

No problem, let's run ComboFix to make sure everything is all right.

[mark1976]

here is the combo fix file

ComboFix.txt

[TwinHeadedEagle]

Very good. How is your PC now?

[mark1976]

Thanks for all the help. I've been out of town for several days - so far the laptop is ok but I have only used it once since you fixed it. Can I let you know in two to three days how things are going? Also, do you think a backdoor was opened when it had the malware infection or do you think Norton stopped that?

[TwinHeadedEagle]

Okay, let me know.

 

Norton was stopping malware to access its servers for communication.

[jazzandvo]

Hello gang..thanks for any help you can provide. I am having the same issue with the whole COM Surrogate DLLHOST.EXE multiple instances issues..

some dllhost  instances are taking up 400k of processing

 

Please help

[TwinHeadedEagle]

Open your own topic.

[mark1976]

First, many thanks TwinHeadedEagle for all the help.   Now that I have malwarebytes anti-malware on my laptop, I am getting pop-ups from it blocking malicious websites.   I do not know if that means I still have a problem as I did not have malwarebytes before so I do not know what is normal on those type messages.   The IP Address on the malicious website that is blocked is listed as 5.45.67.219 and it says the Type is Outbound.   The Process is still the windows\system32\svchost.exe (same as before).

 

A bigger issue may be that I received another "high usage error" tonight.   I did not get to write it down but it will probably occur again.   If you are ok waiting another 24 hours, I can give you more info when it pops up again as to what it says.

 

Thanks again for the help.

[mark1976]

Hope all is well with you.   I am still getting the High CPU Usage tools.   As well as the "Debug this Page" errors.    Any ideas?

[TwinHeadedEagle]

Scan with TDSSKiller
 
Please download TDSSKiller by Kaspersky and save it to your desktop.

• Right-click on
• icon and select Run as Administrator to start the tool.

• Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
• Your machine may appear very slow and unusable after that - it's normal.
• TDSSKiller will run automaticaly. Click on Change parameters and click OK.
• Click the Start Scan button and wait patiently.
• If anything will be found follow this guidelines:A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    If Cure is not available, please choose Skip instead.
  • Do not choose Delete unless instructed!

 

 

 

Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!