Need help with multiple dllhost.exe com surrogates

Hello,

I am having the multiple dllhost problem. I ran Farbar and have attached the two results files. Thanks in advance for any help.

Regards,

Carl

I think I was able to fix it following this guide:

http://malwaretips.com/blogs/dllhost-exe-32-com-surrogate-removal/

OK could you run a fresh FRST scan please because as far as I am aware none of those tools remove the registry java script

Okay, enclosed are the files from the FRST scan from a couple minutes ago.

Could you manually delete this folder please C:\Users\Carl\AppData\Roaming\麽鎒駓覜

Follow these steps to display hidden files and folders.

:black_medium_small_square:Open Folder Options by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
:black_medium_small_square:Click the View tab.
:black_medium_small_square:Under Advanced settings, click Show hidden files and folders, and then click OK.

Have you disabled UAC ?

OK all those tools missed the registry entry and the TORencryptor

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

2014-10-30 19:49 - 2014-10-30 19:49 - 00008562 _____ () C:\Users\Carl\AppData\Roaming\DECRYPT_INSTRUCTION.HTML 2014-10-30 19:49 - 2014-10-30 19:49 - 00008562 _____ () C:\Users\Carl\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-10-30 19:49 - 2014-10-30 19:49 - 00008562 _____ () C:\Users\Carl\AppData\DECRYPT_INSTRUCTION.HTML 2014-10-30 19:49 - 2014-10-30 19:49 - 00004224 _____ () C:\Users\Carl\AppData\Roaming\DECRYPT_INSTRUCTION.TXT 2014-10-30 19:49 - 2014-10-30 19:49 - 00004224 _____ () C:\Users\Carl\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-10-30 19:49 - 2014-10-30 19:49 - 00004224 _____ () C:\Users\Carl\AppData\DECRYPT_INSTRUCTION.TXT 2014-10-30 19:49 - 2014-10-30 19:49 - 00000276 _____ () C:\Users\Carl\AppData\Roaming\INSTALL_TOR.URL 2014-10-30 19:49 - 2014-10-30 19:49 - 00000276 _____ () C:\Users\Carl\AppData\Local\INSTALL_TOR.URL 2014-10-30 19:49 - 2014-10-30 19:49 - 00000276 _____ () C:\Users\Carl\AppData\INSTALL_TOR.URL 2014-10-30 19:47 - 2014-10-30 19:47 - 00008562 _____ () C:\Users\Carl\AppData\Local\Apps\DECRYPT_INSTRUCTION.HTML 2014-10-30 19:47 - 2014-10-30 19:47 - 00004224 _____ () C:\Users\Carl\AppData\Local\Apps\DECRYPT_INSTRUCTION.TXT 2014-10-30 19:47 - 2014-10-30 19:47 - 00000276 _____ () C:\Users\Carl\AppData\Local\Apps\INSTALL_TOR.URL 2014-10-30 19:44 - 2014-10-30 19:44 - 00008562 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-10-30 19:44 - 2014-10-30 19:44 - 00004224 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-10-30 19:44 - 2014-10-30 19:44 - 00000276 _____ () C:\ProgramData\INSTALL_TOR.URL 2014-10-30 19:19 - 2014-10-31 05:25 - 00000424 _____ () C:\ProgramData\@system.temp 2014-10-30 19:19 - 2014-10-31 05:25 - 00000160 ____H () C:\ProgramData\@system3.att CustomCLSID: HKU\S-1-5-21-1897947110-3346919960-2053437187-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? C:\Users\Carl\tmpall.js EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download Anti-CryptorBit.zip to your desktop
Extract Anti-CryptorBitV2 to the desktop and run

https://dl.dropboxusercontent.com/u/73555776/anticrypt.JPG

Select the file type you wish to decrypt and then follow the instructions

Thank you for your help.

I ran the tool and I have enclosed the fixlog.

Should UAC be disabled? If so, why, if not, why not?

I didn’t understand the part at the bottom of your note, downloading the decrypt tool and selecting which type of file to decrypt.

Also, I deleted that file you mentioned. It wasn’t a folder.

I already had “show hidden files and folders” selected.

Some of your files have been encrypted, if you are not sure what type then select all

UAC when on will stop some programmes from executing unless you give the go ahead http://windows.microsoft.com/en-gb/windows/what-is-user-account-control#1TC=windows-7

How is the computer behaving at the moment ?

Download and run farbar service scanner

https://dl.dropboxusercontent.com/u/73555776/fssscan.JPG

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

I enclosed the FSS.txt file.

The system seems to be running normally since yesterday evening.

The decrypt tool doesn’t have a “select all” option that I can find. I tried clicking on “jpeg” and it said I have to put all of my encrypted files into one folder and then indicate that. I have not been able to find any files that have been encrypted so far. Is that what this virus/malware was doing? Are there particular places to look?

It encrypts various types of files, if you have not noticed any then it was probably stopped before it could encrypt them

Did you turn off windows updates ?

Action Center: ============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:

wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Disabled. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

I noticed the encrypted files now. I found an easy way to identify them as Carbonite marks the folders differently if something has changed. So far, everything encrypted is backed up to Carbonite and sometimes to an external hard drive that was disconnected.

This is a pretty nasty thing that got on my machine!

I have not turned off Windows updates and don’t know how. Why would I want to do that? The updates are needed.

OK let initially reset them using an automated fix.

Run the relevant MSFixit on this page http://support.microsoft.com/kb/971058

Reboot the computer and run Farbar System Scanner (FSS) again

Hello,

That MS page doesn’t have anything there anymore.

That thing encrypted about 60 GB of data, most of it video, all of it backed up.

Try this link http://go.microsoft.com/?linkid=9830262

The tool said “troubleshooting cannot identify the problem” Does that mean there is a problem or many not a problem with Windows updating?

Yes the services are set to disabled rather than autostart

Download Set Windows Services To Default Startup from here to your desktop http://www.tweaking.com/content/page/set_windows_services_to_default_startup.html
Run the file and once it has extracted click start
It should take no more than a few seconds

On completion run FSS again please

Okay, I ran that tool and re-ran FSS. I enclosed the results file.

OK that is good, how is the computer behaving now ?

Everything continues to be running fine as far as I can tell. No strange processes running, no excessive processor or memory usage.

Thanks for all of your help.

This actually all started right after I updated my video drivers on AMD’s website. I wonder if their files have become infected.

Difficult to say whether AMD is at fault, it may be a bad ad on their page or a hijack

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: