Jump to content

How to remove Dllhost.exe *32 COM Surrogate Virus


Recommended Posts

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download Malwarebytes Anti-Malware from here
 

  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.


Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Xplode onto your Desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.

IMPORTANT

  • If you click the Clean button all items listed in the report will be removed.

If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).


===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions.
==============================


 

Link to post
Share on other sites

When I click on the HERE link, it takes me to dowload free version of MWB but I pay for the premium. Even when I dowload the most current premium version,  and click on the "Malwarebytes/premium" icon (which I assume you are calling the MBMA icon) nothing happens.

I ran Adwcleaner but it found no issues.

Here are the frst logs (but without being able to complete the MBMA first part of you instructions.)

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download and run the Malwarebytes Cleanup Utility
https://support.malwarebytes.com/docs/DOC-1112

When completed restart the computer normally to reset the registry.

Reinstall your Premium Copy.

Do you have any remaining issues?

fixlist.txt

Link to post
Share on other sites

Look. I have limited computer experience and your instructions are given with the assumption that I understand what you are talking about. I don't. I pay MWB over $250 a year to not only prevent these common infections but to also make it easy to get rid of them if they do occur. That is not happening here. I need instructions for a computer novice and detailed instructions every step of the way.

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

No problems.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.


The location is listed in the 3rd line of the FRST.txt log you have submitted.

At the End of the topic you will see a filenamed fixlist.txt
Click it and the file will be downloaded to your Computer.
The file should be in this download folder in bold.
C:\Users\dontdrama\Downloads

Then Run FRST the Farbar program and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download and run the Malwarebytes Cleanup Utility


https://support.malwarebytes.com/docs/DOC-1112

Cliclk the line and folllow the instructions on the page.

Restart the computer to reset the registry.

Now reiinstall Malwarebytes.

Download the latest version here.
https://support.malwarebytes.com/docs/DOC-1141

Follow the instructions on the page.
===

When the installation is complete, Malwarebytes for Windows opens automatically and the recommended settings are enabled by default.  If you have purchased a Premium license, refer to the article
Activate Malwarebytes for Windows Premium
https://support.malwarebytes.com/docs/DOC-1142

Follow the insltructions on the page.

If at any time you need help please ask before proceeding.

Link to post
Share on other sites

  • 2 weeks later...
On 7/6/2018 at 11:41 AM, nasdaq said:

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

No problems.

 

 

At the End of the topic you will see a filenamed fixlist.txt
Click it and the file will be downloaded to your Computer.
The file should be in this download folder in bold.
C:\Users\dontdrama\Downloads

Then Run FRST the Farbar program and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

 

 

Cliclk the line and folllow the instructions on the page.

Restart the computer to reset the registry.

Now reiinstall Malwarebytes.

Download the latest version here.
https://support.malwarebytes.com/docs/DOC-1141

Follow the instructions on the page.
===

When the installation is complete, Malwarebytes for Windows opens automatically and the recommended settings are enabled by default.  If you have purchased a Premium license, refer to the article
Activate Malwarebytes for Windows Premium
https://support.malwarebytes.com/docs/DOC-1142

Follow the insltructions on the page.

If at any time you need help please ask before proceeding.

Com Surrogate is still appearing in my task manager.

FRST.txt

Link to post
Share on other sites


Hi,

Com Surrogate is still appearing in my task manager.

Since your log is clean what you are seeing in the TaskManager may be legit.

The Windows Task Manager may display multiple Dllhost.exe *32 COM Surrogate processes, some of which may be legitimate and some threatening. This may make it difficult to tell them apart. The simplest way to determine whether one of these processes is legitimate is by accessing the Windows Task Manager and then selecting the suspicious process. Once you have selected it, use a right click to access the menu and choose 'Open File Location'. Legitimate Dllhost.exe *32 COM Surrogate processes should lead to a file located in the Windows/System32 folder (or the equivalent folder depending on your Windows version). Files in any other location are usually threatening. This is because legitimate programs may have no reason to impersonate a Dllhost.exe *32 COM Surrogate on your computer unless they are trying to trick you in some way. A program doing this may be threatening, or it may be attempting to hide its presence on your computer.

You computer has a\System 32 folder. If you find any Dllhost.exe referencing any other folder then C:\Windows\System32 please let me when where they are located.

Link to post
Share on other sites

Thank you. I'm not sure what I may have but here are the symptoms: 1. Computer is very slow. 2. I visit 1 URL (ebay) many times a day. Before this started happening, when I opened the google search page the thumbnails below the search box were organized in the order of most visited first. Now, it does not even show the site I visited 30 times that day and the ones that do show I may have only visited once (see attached). In the past, this indicated that I had something like a PUP or something that was funneling my google searches through a third party first. I was always able to resolve this by clearing my cache and restarting. That doesn't work now. 3. My screen goes black or the taskbar disappears while I working and the only way to resolve it is to unplug it and remove the battery to force a restart. 4. When I open task manager, COM SURROGATE sometimes appears twice and sometimes 4 times in a row but disappears shortly after I click on it and before I have a chance to see what file it appears in. Thanks for your help.

googlethumbnailscreenshot.png

Link to post
Share on other sites

Hi,

Lets check further.

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======


While I check your logs run this scan.

This scan may take an hour or two. Execute it when you know you will not need the comuuter.

Please scan your computer with ESET Online Scanner.

  • Click on this link to open ESET Online Scanner in a new window.
    1. Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    2. Close all your programs and browsers.
    3. Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    4. Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.



Please re-enable your antivirus program.

Link to post
Share on other sites

Looks like there was a PUP in my HONEY extension which I deleted.

RogueKiller V12.12.26.0 (x64) [Jul  9 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.17134) 64 bits version
Started in : Normal mode
User : dontdrama [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 07/17/2018 10:46:54 (Duration : 00:46:37)
Switches : -refid

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUP.Gen0][Chrome:Addon] Default : Honey [bmnlcjabgnpnenekpadlanbbkooimhnj] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS541010A9E680 +++++
--- User ---
[MBR] 87e5f1211371a80ef8b1670ef939cf3d
[BSP] 060560d95989744658f0c7989f57a81f : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 16 MB
2 - Basic data partition | Offset (sectors): 567296 | Size: 929070 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1903304704 | Size: 895 MB
4 - [SYSTEM] Basic data partition | Offset (sectors): 1905137664 | Size: 23621 MB
User = LL1 ... OK
User = LL2 ... OK

I will run the other program now. Thanks a lot for your help.

Link to post
Share on other sites

Hi,

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

Link to post
Share on other sites

I ran eset scanner but didn't see where it picked up anything. I'm still having the problems. Something is still acting like a PUP because my google search thumbnails are still not normal. I visited ebay 30 times this morning, and FL lottery once (which I did not win) and only FL lottery shows up in thumbnails. COM SURROGATE is also still appearing and disappearing in task manager.

image.thumb.png.497ce4650d91572cf2620a44f437990d.png

image.png

Link to post
Share on other sites

Hi,

A common use for COM Surrogate is the File Explorer building thumbnails. In older versions of Windows, the Explorer process would try to generate thumbnails under itself. This often resulted in crashes because thumbnail extractors aren’t always reliable.

Read this article and try some of the fixes suggested.
https://www.makeuseof.com/tag/com-surrogate-windows-10/

If you have too many Thumbnails the cache may be damaged.

As suggested in the article. Keep in mind that all the thumbnails will be deleted.
Delete existing thumbnails. If a corrupted thumbnail is causing COM Surrogate to crash, you can remove it using the Disk Cleanup tool. This will force Windows to rebuild the thumbnail cache, which could clear up the problem.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.