# dllhost com surrogate process grows in memory usage

## Recommended Posts

Hello. I am working on a computer for a friend and it looks like his computer has been infected with some malware. Upon windows startup the dllhost file is executing processes that multiple and start to utilize up to 2 gb of his memory. I have upgraded his cpu from a dual core to a hex core to help deal with the slowness and while malwarebytes found some stuff, which I deleted, the issue remains.

I see some cowboys of the wild west on these forums handling peoples issues with good results. I have run some of the programs listed with hopes of resolving it with my knowledge, but I am not a pro with malware removal.

My hands are tied. I would be happy to donate some currency for the time put in and services rendered. Unfortunately this machine is has a complex configuration with connections to CNC and similar industrial machines, so wiping the OS and reinstalling CAD programs with floppy disks would be a huge pain, let alone setting up the XP VM.

Unfortunately the malwarebytes logs are xmls which I can't upload, but I have included some files from combofix and frst. Perhaps a fixlist can be generated from this.

I will check the forums and follow whatever instructions are given explicitly. No pirated software or hacked windows are installed on this machine. Please help.

ComboFix.txt

smith_malwarebytes_log.txt

FRST.txt

##### Share on other sites

I've also run CCleaner, rkill, and junkware removal tool. Some of these programs I even ran in safe mode, but I am probably not doing it in the correct order to effectively stop this infection.

JRT.txt

##### Share on other sites

Hello msmith451, welcome to Malwarebytes' Malware Removal forum!

My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that.

General P2P/Piracy Notice:

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

======================================================

Please read through the points below to ensure this process moves as quickly and efficiently as possible.

• Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
• Please do not post logs using the CODEQUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
• Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
• Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
• If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
• Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
• Ensure you are following this topic. Click  at the top of the page.

======================================================

STEP 1
Folder Options

• Press the Windows Key  + r on your keyboard at the same time. Type Control Folders and click OK.
• Click View. Under Hidden files and folders
• Place a checkmark next to Show hidden files, folders and drives.
• Remove the checkmark next to Hide extensions for known file types.
• Remove the checkmark next to Hide protected operating system Files (Recommended).
• Click Apply followed by OK.

STEP 2

• Click Choose File and locate the following file:
• C:\Windows\SysWOW64\drivers\ddnt.sys
• Click Scan it!.
• Once the file has been analyzed, copy the page URL at the top of the window and paste in your next reply.

STEP 3
TDSSKiller Scan

• Right-Click TDSSKiller.exe and select  Run as administrator to run the programme.
• Click Change parameters. Place a checkmark next to:
• Detect TDLFS file system
• Verify file digital signatures
• Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
• ​Click Start Scan. Do not use the computer during the scan.
• If objects are found, change the action to skip.
• Click Continue and close the window.

======================================================

STEP 4
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• VirusTotal Results
• TDSSKiller log (attached!)
##### Share on other sites

Thank you. I will run the tests in about 6 hours and post results shortly thereafter.

##### Share on other sites

OK, sounds good.

I'll look out for your logs later.

##### Share on other sites

I realized Vipre was disabled but not completely shut down so I re-ran TDSSKiller

TDSSKiller.3.0.0.41_12.11.2014_18.27.04_log.txt

##### Share on other sites

The system appears better after I ran adwcleaner, fixpoweliks64 and malwarebytes antirootkit last night, before I posted here, but that Win32.Malware.Heur_Generic.A.(kcloud) picked up by Kingsoft seems to remain. I have to check out for the night, but I will check back tomorrow and follow whatever instructions you give me.

##### Share on other sites

Hi Matt,

STEP 1
Uninstall Software

• Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.
• Search for the following programmes, right-click and click Uninstall.
• Note: Ensure you decline offers of additional software if applicable.
• Reboot if necessary.

STEP 2
Farbar Recovery Scan Tool (FRST) Script

• Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
startHKLM-x32\...\Run: [] => [X]HKU\S-1-5-21-2081514750-4280462676-107054556-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONHKU\S-1-5-21-2081514750-4280462676-107054556-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONToolbar: HKCU - No Name - {71576546-354D-41C9-AAE8-31F2EC22BF0D} -  No FileHandler: vipresg - {47BE2E5B-703B-444F-ABD3-05717D2191C6} -  No FileFilter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} -  No FileS3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe" [X]S2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe /s  [X]S3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0; \??\c:\gencotst\pcdsrvc_x64.pkms [X]C:\Users\Nick\AppData\Local\Temp\AcDeltree.exeCustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{6D7AE628-FF41-4CD3-91DD-34825BB1A251}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acad.exe /Automation No FileCustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?CustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{B77E471C-FBF3-4CB5-880F-D7528AD4B349}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acad.exe /Automation No FileCustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{C92FB640-AD4D-498A-9979-A51A2540C977}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acad.exe /Automation No FileCustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{D70E31AD-2614-49F2-B0FC-ACA781D81F3E}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acad.exe No FileCustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{E2C40589-DE61-11ce-BAE0-0020AF6D7005}\InprocServer32 -> C:\Program Files\Autodesk\AutoCAD 2012 - English\acadficn.dll No FileC:\Program Files (x86)\Ask.comreg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater" /fCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
• Click File, Save As and type fixlist.txt as the File Name.
• Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST64.exe and select Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.

STEP 3
Malwarebytes Anti-Malware (MBAM)

• Open Malwarebytes Anti-Malware and click Update Now.
• Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
• Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
• Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.

STEP 4

• Right-Click AdwCleaner.exe and select Run as administrator to run the programme.
• Click Scan.
• Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
• Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
• After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

======================================================

STEP 5
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Did the programme uninstall OK?
• Fixlog.txt
• MBAM log
##### Share on other sites

Previously when trying to uninstall ask toolbar I get a 1316 error. I had tried under adwcleaner previously. Will try these steps again in about 8 hours

##### Share on other sites

Ask toolbar program was mysteriously gone today. Good riddance!

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-11-2014 02
Ran by Nick at 2014-11-13 17:01:00 Run:1
Loaded Profile: Nick (Available profiles: Nick)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2081514750-4280462676-107054556-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2081514750-4280462676-107054556-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Toolbar: HKCU - No Name - {71576546-354D-41C9-AAE8-31F2EC22BF0D} -  No File
Handler: vipresg - {47BE2E5B-703B-444F-ABD3-05717D2191C6} -  No File
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} -  No File
S3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe" [X]
S2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe /s  [X]
S3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0; \??\c:\gencotst\pcdsrvc_x64.pkms [X]
C:\Users\Nick\AppData\Local\Temp\AcDeltree.exe
CustomCLSID: HKU\S-1-5-21-2081514750-4280462676-107054556-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater" /f
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
end
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKU\S-1-5-21-2081514750-4280462676-107054556-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKCR\PROTOCOLS\Handler\vipresg" => Key deleted successfully.
"HKCR\PROTOCOLS\Filter\text/xml" => Key deleted successfully.
PCDSRVC{67F2314B-25F2B3C0-06020101}_0 => Service deleted successfully.

========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater" /f =========

The operation completed successfully.

========= End of Reg: =========

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========  netsh winsock reset all =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

=========  netsh int ipv4 reset =========

Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.

========= End of CMD: =========

=========  netsh int ipv6 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.

========= End of CMD: =========

EmptyTemp: => Removed 13.2 GB temporary data.

The system needed a reboot.

==== End of Fixlog ====

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/13/2014
Scan Time: 5:11:35 PM
Logfile:

Version: 2.00.3.1025
Malware Database: v2014.11.13.10
Rootkit Database: v2014.11.12.01
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Nick

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 327176
Time Elapsed: 8 min, 37 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

# AdwCleaner v4.101 - Report created 13/11/2014 at 17:24:42
# Updated 09/11/2014 by Xplode
# Database : 2014-11-13.1 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Nick - MIKTOOLPC
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420

*************************

AdwCleaner[R1].txt - [746 octets] - [13/11/2014 17:23:22]
AdwCleaner[s1].txt - [668 octets] - [13/11/2014 17:24:42]

It looks like everything is gone. There were a few items quarantined in mbam from previous runs, so I deleted them. Is there anything else left to do other than keep an eye out for anything strange?
##### Share on other sites

Hello Matt,

Lets check for malware remnants.

ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

• Double-click esetsmartinstaller_enu.exe to run the programme.
• Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
• Place a checkmark next to Enable detection of potentially unwanted applications.
• Click Hide advanced settings. Place a checkmark next to:
• Scan archives
• Scan for potentially unsafe applications
• Enable Anti-Stealth technology
• Ensure Remove found threats is unchecked.
• Click Start.
• Wait for the scan to finish. Please be patient as this can take some time.
• Upon completion, click . If no threats were found, skip the next two bullet points.
• Click  and save the file to your Desktop, naming it something such as "MyEsetScan".
• Push the Back button.
• Place a checkmark next to  and click .
• Copy the contents of the log and paste in your next reply.
##### Share on other sites

Thanks Adam. I hope we are in the final stretch. I assume the quarantined files can be deleted. The Y: drive is an external backup that has an old install, so I don't think the toolbar could be affecting this computer. I will be formatting it soon and starting a new backup regiment after all this is said and done. ccsetup is just cc cleaner and 1440026.msi can just be deleted right?

C:\Qoobox\Quarantine\Registry_backups\CLSID_{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}.reg.dat Win32/Poweliks.C trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0000.dta Win64/Olmarik.AK trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0001.dta Win32/Olmarik.AYH trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0002.dta Win64/Olmarik.AL trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0003.dta a variant of Win32/Rootkit.Kryptik.NH trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0004.dta Win64/Olmarik.AK trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0008.dta Win32/Olmarik.AFK trojan

C:\TDSSKiller_Quarantine\11.11.2014_18.55.53\tdlfs0000\tsk0009.dta Win64/Olmarik.AK trojan

C:\Windows\Installer\1440026.msi a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application

Y:\old computer\Program Files\Common Files\Real\Toolbar\RealBar.dll a variant of Win32/Adware.Toolbar.Visicom.AB application

Thanks again. I might not be back until Monday, but this hour long scan completing without any active threats (just remnants) makes me think we are good. What is your opinion?

Enjoy the weekend,

Matt

##### Share on other sites

Hi Matt,

Delete this file: C:\Windows\Installer\1440026.msi

Update your outdated software to reduce the risk of reinfection.

Ensure the following programmes are no longer installed.

• Java 7 Update 17

Now for the good news.

All Clean!
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful

My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation.

STEP 1
ComboFix Uninstall

• Press the Windows Key + r on your keyboard at the same time. Type the following text into the Run box:
ComboFix /Uninstall
• Click OK.
• Note: It may appear as if Combofix is installing. This is not the case; the programme is uninstalling. Please do not interrupt the process.

STEP 2
DelFix

• Double-click DelFix.exe to run the programme.
• Place a checkmark next to the following items:
• Activate UAC
• Remove disinfection tools
• Create registry backup
• Purge system restore
• Reset system settings
• Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

======================================================

I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

The following programmes come highly recommended in the security community.

• CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), preventing your files from being encrypted.
•  Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
•  Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
•  NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
•  Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
•  Secunia PSI will scan your computer for vulnerable software that is outdatedand automatically find the latest update for you.
•  SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
•  Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.

======================================================

Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread.

Thank you for using Malwarebytes.

Safe Surfing.

##### Share on other sites

Thanks again Adam. I sent you some pounds. Spend them recklessly!

##### Share on other sites

You're welcome, Matt. It was my pleasure.

I sent you some pounds. Spend them recklessly!

Thank you very much.

I will mark this topic as solved.

All the best,

##### Share on other sites

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

##### Share on other sites

This topic is now closed to further replies.
• ### Recently Browsing   0 members

×

• Back
• Learn

• Blog
• #### Support

×
• Create New...