COM Surrogates galore / 'wvydeo. com' issues

Yesterday night I had avast aware me of something about internet explorer and URL Mal from wvydeo. Next thing I know is a flood of dllhost with the description ‘COM Surrogate.’ I don’t really know what it is, but if there’s anyway I can fix it I’d like to immediately. Logs have been provided. Thank you for your assistance.

Hi :slight_smile:

https://sites.google.com/site/cannedfixes/combofix/51a5bf3d99e8a-ComboFixlogo16.png
Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!

Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/combofix/51a5bf3d99e8a-ComboFixlogo16.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Accept the disclaimer and agree if prompted to install Recovery Console.
[*]Do not take any actions while ComboFix goes through your System - it may cause it to stall!
[]This scan may take some time!
[
]When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.

http://forum.programosy.pl/images/smilies/icon_idea.gif
If you’ll encounter any issues with internet connection after running ComboFix, please visit this link.

http://forum.programosy.pl/images/smilies/icon_idea.gif
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

http://forum.programosy.pl/images/smilies/icon_idea.gif
Don’t forget to re-enable your previously switched-off protection software!

I hope this doesn’t break anything. In any case, log attached. Aware me if more instruction is needed please.

Hi :slight_smile:

I suppose that CF didn’t make it. Please re-run FRST, and make sure that Addition option is checked. Run Scan and attach the two logs generated.

Cheers,
Naat

The problem seems to have subsided so far and my computer is running as it should. There’s been no mass COM Surrogates since the removal of the temp files. I believe the problem is resolved, but in any case, here’s the new logs. Nevermind, as soon as I’m the clear it comes back. Tell me what to next, please.

Hi :slight_smile:

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]

Press the
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/WindowsKey.png

  • R on your keyboard at the same time. Type Notepad and click OK.

[*]Copy the entire content of the codebox below and paste into the Notepad document:

start
CloseProcesses:
HKU\S-1-5-21-1872849792-4206525707-2421644981-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
S3 catchme; \??\C:\Users\Dominic\AppData\Local\Temp\catchme.sys [X]
S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
S3 XDva401; \??\C:\Windows\system32\XDva401.sys [X]
S3 XDva403; \??\C:\Windows\system32\XDva403.sys [X]
S3 XDva404; \??\C:\Windows\system32\XDva404.sys [X]
S3 XDva406; \??\C:\Windows\system32\XDva406.sys [X]
CustomCLSID: HKU\S-1-5-21-1872849792-4206525707-2421644981-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
EmptyTemp:
end

[*]Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.

XP users click run after receipt of Windows Security Warning - Open File.
8 users will be prompted about Windows SmartScreen protection - click More information and Run.
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.

Things seem to be in working order. Thank you for your assistance.

Seems better :slight_smile:

https://sites.google.com/site/cannedfixes/malwarebytes-anti-malware/51a46ae42d560-malwarebytes_anti_malware.png
Scan with Malwarebytes’ Anti-Malware

Please re-run
https://sites.google.com/site/cannedfixes/malwarebytes-anti-malware/51a46ae42d560-malwarebytes_anti_malware.png
Malwarebytes’ Anti-Malware.

[*]First of all, select update.
[*]Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
[*]Click the Scan tab, choose Threat Scan is checked and click Scan Now.
[*]If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
[*]Upon completion of the scan (or after the reboot), click the History tab.
[*]Click Application Logs and double-click the newest Scan Log.
[*]At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

https://sites.google.com/site/cannedfixes/eset-online-scanner/ESETOnline.png
Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:

[*]Accept the Terms of Use and click Start.
[*]Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

[*]Download esetsmartinstaller_enu.exe that you’ll be given link to.
[*]Double click esetsmartinstaller_enu.exe.
[*]Allow the Terms of Use and click Start.

To perform the scan:

[*]Make sure that Enable detecion of potentially unwanted applications is checked.
[*]In the Advanced Settings dropdown menu: [*]Make sure that Remove found threats is unchecked.
[*]Scan archives is checked.
[*]Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
[*]Use custom proxy settings is unchecked.
[*]Click Start
[*]The program will begin to download it’s virus database. The speed may vary depending on your Internet connection.
[*]When completed, the program will begin to scan. This may take several hours. Please, be patient.
[*]Do not do anything on your machine as it may interrupt the scan.
[*]When the scan is done, click Finish.
[*]A logfile will be created at C:\Program Files\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.
Don’t forget to re-enable previously switched-off protection software!

https://sites.google.com/site/cannedfixes/security-check/51c9d14017fa0-SecurityCheck.PNG
Scan with Security Check

Please download Security Check by Screen317 and save it to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/security-check/51c9d14017fa0-SecurityCheck.PNG
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Follow onscreen instructions inside the black box. This scan won’t take long.
[*]Soon a notepad document called checkup.txt will open automaticaly.

Please include the content of that document.

I have done the scans and my computer is running smoothly again. Thank you for your help.

We’re almost done, just some remnants to catch up.

https://sites.google.com/site/cannedfixes/updating-software/updates.png
Update outdated software

Staying always updated is crucial, not only for your operating system, but also for any third-party installed software.
Your logs clearly indicate that some of your software needs updating.

https://sites.google.com/site/cannedfixes/updating-software/firefox-256.jpg
Updating Mozilla Firefox manually

[*]Please open Firefox.
[*]Click the
https://sites.google.com/site/cannedfixes/updating-software/firefoxmenu.png
icon.
[*]Click Help and select About Firefox.
[]Firefox will search for any updates and start downloading them automatically.
[
]When the updates will be ready you will be prompted to restart Firefox. Please do it.

Remember to keep it updated.

https://sites.google.com/site/cannedfixes/delfix/51a5ce45263de-delfix.png
Clean with DelFix

Please download DelFix by Xplode and save it to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/delfix/51a5ce45263de-delfix.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Ensure that Remove disinfection tools, Purge system restore and Reset system settings are checked.
[*]Push Run.
[*]When finished, it will display a notepad report.

Include it for my review.
Please also manually reboot your machine after posting your logfile.